Hi there , another happy day and today i am publishing this vulnerability because a big reason is behind this.
We know that Fastmail.fm has started a Bug Bounty Program for White-Hat Hackers to make them-self a secured from black-hat hackers but today when i tried to exploit their web-site with some advance methods , i was successfully able to exploit their website by API Injection.
The bug was , i can send email from fastmail by using any email address such as admin@fastmail.fm , administrator@fasmail.fm or any email address.
When i emailed them the complete process with a video reference that how it could be exploited and showed them the complete process and proof of concept , they refused me to give me bug bounty reward which was 2000$ and not only this they also refused to list me in Hall of Fame.
They said that this is not a bug and this is a design of their email service , thats how it work and they wont consider this as a bug. I was shocked !!! yes i was shocked to know that for them API Injection is not a bug ? i dont know what type of cyber security experts dose Fastmail have , who dont even even know what is API injection.
Here is one of the email which they replied me earlier.
Wait , Mr.Rob Nile i will show the world how dangerous it is ! dont worry about it world will let you know if it was a bug / vulnerability or not because today i am going to public this exploit.
Before we start , i am telling you that Mr.Rob has told me that he could take action against anyone who dose this illegally and for spaming and all that stuff for wrong use so i am also giving you a warning that dont do anything wrong after reading this because you could face a real trouble and i am not responsible for any of your act done after reading this exploit from my blog or third party blog.
First of all i created an account on fastmail.fm after confirming my account i went over to compose an email and please not that to reproduce this bug one must have two things which are below.
Now open Live HTTP Headers , and it will start capturing . After just click send to send the email and in live http headers there will be the captured API and other things in Live Http headers so find the email in Live http headers and click on it and click replay and after there will be the API and url text so we will do further editing in it and if we succeed it will be API Injection.
We will remove 2 things one is personality ID and other is draft ID numbers and leaving it blank.
Now we will edit email of the sender which is our email where ever it is , in my case it is 2 times in the API so i will replace the sender email with the email which i want to spoof. such as admin@fastmail.com with both of them so it would be looking like this.
And here i am , successfully bypassed and exploited the API of FastMail and sent an email from admin@fastmail.com
Now mr.rob thinks this is not a vulnerability and is not an issue for them ! , i hope if anyone who is from fastmail and is reading my article will consider on it and will remove such corruption from the company.
Regards :-
Ahmed Mehtab
ahmedmehtab009@gmail.com
We know that Fastmail.fm has started a Bug Bounty Program for White-Hat Hackers to make them-self a secured from black-hat hackers but today when i tried to exploit their web-site with some advance methods , i was successfully able to exploit their website by API Injection.
The bug was , i can send email from fastmail by using any email address such as admin@fastmail.fm , administrator@fasmail.fm or any email address.
When i emailed them the complete process with a video reference that how it could be exploited and showed them the complete process and proof of concept , they refused me to give me bug bounty reward which was 2000$ and not only this they also refused to list me in Hall of Fame.
They said that this is not a bug and this is a design of their email service , thats how it work and they wont consider this as a bug. I was shocked !!! yes i was shocked to know that for them API Injection is not a bug ? i dont know what type of cyber security experts dose Fastmail have , who dont even even know what is API injection.
Here is one of the email which they replied me earlier.
Wait , Mr.Rob Nile i will show the world how dangerous it is ! dont worry about it world will let you know if it was a bug / vulnerability or not because today i am going to public this exploit.
Before we start , i am telling you that Mr.Rob has told me that he could take action against anyone who dose this illegally and for spaming and all that stuff for wrong use so i am also giving you a warning that dont do anything wrong after reading this because you could face a real trouble and i am not responsible for any of your act done after reading this exploit from my blog or third party blog.
First of all i created an account on fastmail.fm after confirming my account i went over to compose an email and please not that to reproduce this bug one must have two things which are below.
- firefox
- Live Http Headers Plugin ( FireFox plugin )
Now open Live HTTP Headers , and it will start capturing . After just click send to send the email and in live http headers there will be the captured API and other things in Live Http headers so find the email in Live http headers and click on it and click replay and after there will be the API and url text so we will do further editing in it and if we succeed it will be API Injection.
We will remove 2 things one is personality ID and other is draft ID numbers and leaving it blank.
Now we will edit email of the sender which is our email where ever it is , in my case it is 2 times in the API so i will replace the sender email with the email which i want to spoof. such as admin@fastmail.com with both of them so it would be looking like this.
And here i am , successfully bypassed and exploited the API of FastMail and sent an email from admin@fastmail.com
Now mr.rob thinks this is not a vulnerability and is not an issue for them ! , i hope if anyone who is from fastmail and is reading my article will consider on it and will remove such corruption from the company.
Regards :-
Ahmed Mehtab
ahmedmehtab009@gmail.com
They must give you the bounty. This is a serious issue Sniper my bro :) Hope they understand :)
ReplyDelete:-) Awesome, Send Them This Post Link :) :)
ReplyDeletehello please can anyone help me out on a strong crypter to crypte my stub or if any idea on the best free and buy crypter please email me on ramondharry@yahoo.com
DeleteIndeed its a issue but we should let them decide the things ... as its their policy :)
ReplyDeleteHi Bro can you share a video POC?
ReplyDeleteThanks
hello please can anyone help me out on a strong crypter to crypte my stub or if any idea on the best free and buy crypter please email me on ramondharry@yahoo.com
Deletenever trust to those basters /
ReplyDeleteI have the experience of that /
"as you were told earlier" what did they tell you?
ReplyDeleteLook this is a bug , you can ask any hacker about it , you have to accept it.
Deleteno i mean what did they say?
Deletethey said its not a bug :3 according to them
DeleteWhat happens if I receive that email and click reply? Does the addressee show up as admin@fastmail.fm (in which case I presume you wouldn't receive it, but the administration at fastmail would)?
ReplyDeleteYes there you will have to do some logical trick but i can not mention here it would be bad for fastmail so according to this method mentioned on this blog the email replay will go to fastmail admin as spoofed
Deletehello please can anyone help me out on a strong crypter to crypte my stub or if any idea on the best free and buy crypter please email me on ramondharry@yahoo.com
DeleteI found similar bug earlier ... Same experience ... But they have additional headers to track the mail ... Doesn't make it secure ...also is a stupid issue..
ReplyDeleteThey have fixed this issue silently, even i too got a same reply from neil for one type of injection.
ReplyDeleteAs noted here in 2014, by design, fastmail has allowed users to "edit the address in the From field to anything you wish" : http://www.emaildiscussions.com/showpost.php?p=573520&postcount=17. It has been allowed since I've been a customer, which was a couple years before that. You just happened to find another way to do so without being aware that it was something they were explicitly aware of and allowing for years - it's a conscious design feature, not a bug. But perhaps they didn't explain any of this to you? They should have.
ReplyDeleteSelling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.
ReplyDelete**PRICE**
>>2$ FOR EACH LEAD/FULLZ/PROFILE
>>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE
**DETAILS IN EACH LEAD/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER WITH EXPIRY DATE
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL, I.P ADDRESS
->EMPLOYEE DETAILS
->REALTIONSHIP DETAILS
->MORTGAGE INFO
->BANK ACCOUNT DETAILS
>All Leads are Tested & Verified.
>Invalid info found, will be replaced.
>Serious buyers will be welcome & I will give discounts for bulk orders.
>Fresh spammed data of USA Credit Bureau
>Good credit Scores, 700 minimum scores
>Bulk order will be preferable
>Minimum order 20 leads/fullz
>Hope for the long term business
>You can asked for samples, specific states & zips (if needed)
>Payment mode BTC, PAYPAL & PERFECT MONEY
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
''OTHER GADGETS PROVIDING''
>SSN Fullz
>Dead Fullz
>Carding Tutorials
>Hacking Tutorials
>SMTP Linux Root
>DUMPS with pins track 1 and 2
>Sock Tools
>Server I.P's
>USA emails with passwords (bulk order preferable)
**Contact 24/7**
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040