Sending Emails From Any Alias On luminate.com Domain

Hey guys, today I want to share my finding for the Yahoo bug bounty program. I hope you can get something useful from it! I was trying to find a valid bug to report to the Yahoo program for quite a long time. Seeing all of the other’s people submissons get resolved and paid, I was anxious to find some too!

I decided that this time I will test every feature of luminate.com. I had this feeling that there’s got to be something here.

A little bit of information about the company: Luminate (Yahoo Small Business) is providing web-hosting services, domain registration, and tools for web-site and e-commerce development.

First I tested the domain registration functionality. I found out that if I attempt to register an already registered domain name it shows that that domain is unavailable. But when you intercept the request in Burp for a domain name which is available for registration and then change the available domain name for one which already exists, the application will accept that request and show you your cart with the previously registered domain. Unfortunately, when you try to checkout, the application throws you an error and doesn’t allow you to proceed. I played with this for a bit, but nothing new happened, so I redirected my attention to the web-hosting functionality of the app.

I picked the cheapest plan for web-hosting without registering a domain name. During the setup process of web-hosting you can add your own domain to it. So I tried to add the luminate.com domain as my web-hosting domain and to my surprise it worked! Now I just needed to figure out what kind of things I could do with that functionality that would put Yahoo customers at risk.

plans

The web-hosting plan from Yahoo Small Business allows you to register a business email address on your webhosting domain (in my case, I tried to register [email protected]). In order doing that you need to confirm that the domain (luminate.com) belongs to you. This could be done with a DNS change or other methods to which I had no access. So no email sending, right?

Not quite. With this web-hosting plan you get access to a control panel from where you can manage your settings.

control-panel I went there and found that I can send promotional emails to my friends and family about my newly launched web-site. To my surprise, right there in the sender options I saw: [email protected]! I sent a test mail to my personal email account and it went through! I checked my personal mail and saw this email.

email Bingo!

After that I went ahead and filled a submisson to the Yahoo bug bounty program on H1. They confirmed the bug and triaged it on the very next day. I am very grateful for the timeliness, clear communication and professionalism of the Yahoo security team and am looking forward to finding more bugs on their program.

Timeline:

  • reported on 2017-08-28 (initial bounty $100)
  • triaged on 2017-08-29
  • resolved on 2017-10-23
  • remaining bounty awarded on 2017-10-31 ($1400)
Written on November 9, 2017