Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cloudflare Email Routing was in a closed beta, with the author not being invited. A check in the UI was placed to allow access to the functionality or not; this could be bypassed via changing a boolean from true to false.

The actual bug has to do with the email routing itself. When setting up routing, you need to prove ownership of it. Changes, such as modifying the DNS records, should not be possible until ownership is verified of the domain. A domain can only be active in my account at a time; but, multiple accounts can be unverified/pending at the same time.

The author wanted to verify that the ownership check for a domain was validated prior to making changes. It turns out, that it wasn't! So, an attacker could have a domain in the pending state and still make changes to it. Obviously, this only worked for domains already using Cloudflare Email routing.

As an attacker, this allows for the hijacking of email routing entirely by specifying an additional location for it to be returned to. This completely breaks the price of email! Additionally, emails are commonly used for password resetting, making all users at major risk.

Overall, two great bug finds for a bug bounty payout.