Day 1

Your Vulnerability Disclosure Is Important To Us

Session complexity:
Email is widely used for communication within an organisation and between organisations. Standards such as SPF and DMARC were created to reduce the number of phishing emails appearing to stem from legitimate domains. We describe commonly applicable method of (ab)using the information in an SPF record by using the fact that many third-party hosting providers do not adequately check whether their customers hold the domain name they send email from, allowing us to send email on behalf of organisations using those third-party hosting providers that ends up in the inbox rather than spam.

We identified a significant number of high-profile domains across the Netherlands and Europe, including around 30% of Dutch municipalities, half of the Dutch provinces, federal government institutions, banks, universities, and more, where we were able to successfully send email on behalf of them. We share our experiences with disclosing these vulnerabilities, the various types of responsible disclosure programmes we encountered, as well as the responses we received. During the disclosure process, we were met with quite a few broken responsible disclosure programmes, web forms behind (intranet) login, email addresses for internal use only and more.

Speakers in this session