Danish Skive College student Albert Pedersen managed to break into the closed beta of Cloudflare Email Routing (without an invitation) and discovered a vulnerability that attackers could use to capture and steal someone else’s email. Pedersen ended up getting $6,000 from Cloudflare through a bug bounty program.
In an article published earlier this week, Pedersen revealed that he alerted Cloudflare to the problem via HackerOne as early as December 7, 2021. According to him, the company fixed the bug within a few days, but the error was not made public until July 28, 2022, after which Pedersen finally got the opportunity to publish his own report on what happened.
As a reminder, Cloudflare developers introduced their own Email Routing service in the fall of 2021, making it available only as a closed beta. The service, which went into public testing in February this year, allows customers to create and manage email addresses for their domains and forward mail to specific mailboxes.
Pedersen writes that the first test for him was the very penetration into the closed beta:
“When I discovered this vulnerability, Cloudflare Email Routing was still in closed beta and only a few domains were granted access. Unfortunately, I wasn’t invited to that party, so I just had to break in.”
The researcher ended up infiltrating the beta by manipulating data sent by Cloudflare’s backend servers to the Cloudflare dashboard opened in his browser. He writes that he simply used Burp to intercept the response and replace ‘beta’: false with ‘beta’: true, which caused the control panel to think that he had access to the beta version.
After that, he set up Email Routing for one of his domains so that mail from a custom address in that domain (for example, albert@example.com) would be routed to his personal Gmail address.
At that time, his domain was linked to his main th Cloudflare account, verified, and Email Routing was set up and working as it should. It’s worth noting that verification means that the domain’s DNS records have been configured in such a way that Cloudflare knows that it is Pedersen who owns, or at least controls, this domain.
The researcher then wondered what would happen if he added his domain to another Cloudflare account where that domain was unverified. He was sure that it would be impossible to set up Email Routing for him and forward the email. However, everything worked out.
When the unverified domain was added to the sub account, Pedersen enabled Email Routing for it and configured the original email address (albert@example.com) to be redirected to another email address (which was no longer his personal Gmail box). He then sent a message to albert@example.com, and it ended up in the fraudulent recipient’s inbox instead of their personal Gmail box.
Basically, the researcher took over albert@example.com by simply adding the domain to another account and instructed Cloudflare where to relay messages for albert@example.com.
“I assumed that either the Cloudflare API would perform server-side validation and throw an error telling me to verify the zone, or my rogue configuration would simply not work,” says Pedersen, who clarifies that in the end he saw no error, and everything worked. – I suspect that the Cloudflare mail server only keeps one entry for each address, and it was simply overwritten when I applied my fraudulent settings. You can now set up Email Routing in an unverified zone, however the configuration will not take effect until the domain has been verified.”
Essentially, an attacker exploiting this vulnerability could receive messages sent to a stranger’s address simply by adding that stranger’s domain to their account and forwarding the mail to the desired address. However, this only worked for Assuming the stranger is already using Cloudflare, their domain has been verified and Email Routing is set up.
“This is not just a serious privacy issue. Because password reset links are often sent to the user’s email address, attackers could potentially take control of any accounts associated with that email address,” Pedersen notes, adding that this is a good argument in favor of using two-factor authentication.
The researcher says that at the time of the closed beta Email Routing used about 600 domains, and all their email could be compromised if some hacker took advantage of the vulnerability.
Representatives of Cloudflare told The Register that the attackers did not have time to take advantage of the problem, and Email Routing is still in beta, only now open. The company also emphasized that the bug discovered by Pedersen is another proof of the usefulness and necessity of bug bounty programs.