41 #1419341 Hijack all emails sent to any domain that uses Cloudflare Email Forwarding https://hackerone.com/reports/1419341
https://hackerone.com/cloudflare?type=team
1. Summary by Cloudflare Public Bug Bounty
The Email Routing feature enables Cloudflare users to create any number of custom email addresses and route all incoming messages to the user's preferred inboxes. Due to a bug in zone ownership verification, it was possible to configure Email Routing to redirect e-mail messages for an unverified zone (with Email Routing enabled) to a different mailbox. In addition, the vulnerability allowed the e-mail forwarding configuration created by the zone owner to be overwritten. The issue has since been fixed by the Engineering team and zone ownership verification is working as expected when setting up Email forwarding rules. We investigated the exploit and validated it had only been found by the security researcher who responsibly disclosed the issue.
2. history
Summary by albertspedersen This vulnerability made it possible to deploy a rogue Email Routing configuration for an unverified zone (i.e. a domain you don't own) that would override the existing configuration on Cloudflare's mail ervers. This made it possible to 1. read any email sent to the target domain; and 2. stop any email sent to the target domain from arriving at the original destination address. The target domain had to already be using Cloudflare Email Routing as the vulnerability did not enable modification of DNS records.