How I Was Able To Send Emails On Behalf of Any Apple User Email, Yes Any!!! 😜

======================================================================

Disclosure permission was discussed with Apple Security Team before posting this blog.

Hello All, During 2020 I have spend most of time on breaking Apple System and getting good bugs out of Apple Security Bug Bounty Program. I have spend most of time on Apple Products which is my personal favourite area (Not Web App) but few of the bugs I have found was on Web Apps only.

I have been asked over twitter/linkedin to disclose my findings and to be frank after 2020 I was super packed with multiple activities and wasn't able to write such as.

As this vulnerability [How I Was Able To Send Emails On Behalf of Any Apple Email, Yes Any!!!] is very straight forward I decided to create a super quick POC along with write up.

Impact

An attacker can launch a mass level phishing attacks against apple users, apple employees even an attacker can impersonate some one else identity ex. Attacker can send emails on behalf of product-security@apple.com against bug bounty hunters, tcook@apple.com against apple employees or security@apple.com to notify apple users for security breaches notice.

Timeline

Initial Report - Aug 24, 2020, 9:25 PM

Triaged - Aug 31, 2020, 10:43 AM

Fixed Deployed - Oct 14, 2020, 9:24 AM

Bounty Awarded - Nov 21, 2020, 5:24 AM

Let's start! The first Web Application as target I started working on https://developer.apple.com, despite most of the API EndPoint was good enough to protect against IDOR and low hanging fruits.

After spending few moment, their support system got my attention which was looks like this while my research.

While sending support ticket, the API EndPoint had a parameter called userEnteredEmail which was responsible for this vulnerability, after changing that parameter with any xxxx@apple.com email. The victim will received email from that email.

Ex. Here I have sent email on behalf of security@apple.com

This if from product-security@apple.com

This one is from timcook@apple.com for which few of you might be waiting for 😅

Here is the complete Mail Header of this email.

Also Gmail App have a feature called SignedBy which shows if the sender email has passed all the Authentication.The emails sent using this vulnerability are getting Signed by Apple.com Which means It's actually sent from Apple Mail Server to the Receiving Mail Server, also its passing all Mail Authentication Checks such as SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), DMARC(Domain-based Message Authentication, Reporting & Conformance) which makes this more severe.

POC Video

Also in the email there are few additional text which is coming up as Apple Support but this is also looks good which makes victim trust this email.

Please do share and let me know your comments. Happy Hacking to All.

link text