Abusing auto mail responders to access internal workplaces
When ever you send an email to a company address support@example.com , contact@example.com you might have noticed you will be greeted with an auto reply.
Now do you see something interesting with the auto reply.
The email consists of 2 parts:
- The automatic message from mail server.
- The original message that was sent by client.
The email content is being sent back to the sender himself, so there is not much of a damage we can do.
or can we?
The reply-to feature.
Almost all mail services provide us with an option to specify a reply-to address.
If we send an email from rikesh@gmail.com with reply-to set as rksh@gmail.com , the email’s reply will be forwarded to rksh@gmail.com instead of rikesh@gmail.com
The invite feature.
Many SAAS organizations allow the admin to invite users to their organization.
One such website is Figma.
Figma is one the popular SAAS being used by many companies.
During my testing what i observed was:
If I,rikesh.baniya@gmail.comsend invite to an user rikesh@gmail.com
The invite link would be sent in the following manner.
from: no-reply@email.figma.com [Figma ]
to: rikesh@gmail.com [ Invitee]
reply-to: rikesh.baniya@gmail.com [ Inviter]
Wow, we are able to set the attacker controlled email address as a reply-to ?
Chaining everything
The invite link sent by figma was also a signup link to join the organization.
Now assume that redacted@hackerone.com is an autoresponder address.
It will auto reply to all the emails it receives.
The auto-reply consists of 2 parts:
-”thank you for your message”
-”original email that is received”
So now i f I , rikesh@gmail.com invited redacted@hackerone.com to my figma team
Figma would first email the signup link to redacted@hackerone.com .
redacted@hackerone.com would then auto respond to that email saying
“We have received your request”
Plus append
“The original email that it received containing the invite link”
The issue here was Figma was setting the inviter address as the reply-to address ;rikesh@gmail.com
Thus all the replies were getting forwarded to the inviter himself.
how cool is that.😂
Trying to demonstrate the flow
Image of email received by the inviter
Exploit and impact
Ton of sites have autoresponders that’ll automatically reply to the email.
support@target.com , help@target.com and so on
This allowed an attacker to claim any @target.com in Figma.
Figma has domain capture feature.
Meaning if you have a verified @target.com account you can auto join the internal workplace in figma.
Figma does have SSO login option, so SSO login based organizations were secure against this attack.
Exploiting it against Figma themself
Figma uses zendesk to handle their user support tickets.
You can login to zendesk using your own figma account.
To exploit it , I sent an invite to figma@redacted-figma-asset.com , which was an auto responder
Got access to the signup link and created a verified figma account using the figma email address.
Then , logging in to zendesk with that figma account gave me access to internal tickets.
To sum it up , it was a very cool chain of issues.
