- Status Closed
-
Assigned To
xlefloch - Private
Opened by monty099 - 05.10.2025
Last edited by cbay - 27.10.2025
FS#221 - Title: Domain–Mailbox Binding Flaw Allows Cross-Subscription Mailbox Takeover
Description
There is a design flaw in the domain and mailbox management logic within a user account on AlwaysData.
A user who owns multiple subscriptions within the same account can create a mailbox in one subscription using a domain that belongs to another subscription within the same account, without strict verification of domain ownership.
As a result, mailboxes become associated with the domain object itself rather than with the subscription that created them.
When subscriptions or domains are later transferred to other users, mailboxes and their stored emails are automatically re-associated based on domain ownership, enabling serious exploitation scenarios.
—
Scenario 1 — Create a mailbox then transfer the subscription that owns the domain
1. The attacker’s AlwaysData account contains two subscriptions:
Subscription A: with a different domain.
Subscription B: contains the domain victim-domain.com.
2. From within Subscription A, the attacker creates a new mailbox using the domain from Subscription B (for example admin@victim-domain.com).
3. The attacker then transfers Subscription B (which contains the domain) to another user.
4. The mailbox the attacker created remains active and operates under the domain now owned by the new user.
Result:
The attacker retains an active mailbox under a domain that now belongs to another user, allowing them to receive/send emails as that domain — enabling impersonation or disclosure of sensitive communications.
—
Scenario 2 — Create a mailbox, transfer the subscription that contains the mailbox, then later transfer the domain
1. The attacker creates a mailbox in Subscription A using the domain in Subscription B.
2. The attacker transfers Subscription A (which contains the mailbox) to another user. The new user sees the mailbox ready and uses it.
3. Later, the attacker transfers the domain from Subscription B to a new subscription controlled by the attacker.
4. Because the system links mailboxes to the domain, when the domain is moved the mailboxes and all their contents are transferred to the attacker.
Result:
The attacker gains access to all past and future emails of the mailbox used by the new user, constituting a full privacy breach.
POC: https://admin.alwaysdata.com/support/89714/
—
Impact
Unauthorized access to private messages.
Identity impersonation via email addresses tied to the victim domain.
—
Fix Recommendation
Prevent selecting domains from other subscriptions within the same account when creating a mailbox.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hi team,
Any update to this report?
Thank you,
Hi,
Any update?
Thank you!
Hello,
A patch has been applied, do you confirm?
Regards,
Hi,
Yes, I confirm that the fix is working.
Best regards,