FS#264 : Improper Authorization leads to send Emails Behalf of any registered user from Alwaysdata.net domain

Status Closed
Assigned To

hdegorce
Private

Attached to Project: Security vulnerabilities
Opened by bugxhunter - 17.12.2025
Last edited by hdegorce - 18.12.2025

FS#264 - Improper Authorization leads to send Emails Behalf of any registered user from Alwaysdata.net domain

Summary:

Hi team, hope you are doing well.

During security testing of the AlwaysData webmail service, I identified a vulnerability that allows an attacker to send emails while impersonating any AlwaysData user account (e.g., anyuser@alwaysdata.net) without authentication or authorization.

This flaw enables a malicious actor to fully spoof internal user identities via the webmail interface, making the emails appear legitimate and trusted.

Description:

Improper authorization in AlwaysData webmail allows an attacker to send emails on behalf of any registered @alwaysdata.net user without authentication, resulting in unauthorized account impersonation and loss of email integrity across the domain.

Severity:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

Steps to Reproduce:

1. Open the AlwaysData webmail interface.(https://webmail.alwaysdata.com/?from_roundcube=1)

2.Navigate to the (https://webmail.alwaysdata.com/roundcube/?_task=settings&_action=identities)

In the “Email” field, manually specify any valid AlwaysData email address
(e.g., victimuser@alwaysdata.net) that does not belong to the authenticated session.

3. Save it

4. Compose email select the victim mail.

5.Enter any recipient email address.

6.Send the email.

Observe that the email is successfully delivered and appears to originate from the impersonated AlwaysData user, despite no authorization or ownership validation.

Expected Result

The system should restrict the sender address to only the authenticated user’s own email identity.

Actual Result

Emails can be sent using any registered @alwaysdata.net address without authorization.

Poc:

Added short video poc for confirmation

(https://drive.google.com/file/d/1iJY5OQev2Uz2aDDTFBLw3hhnhvYT77xf/view?usp=sharing)

Impact:

This vulnerability allows unauthorized use of trusted @alwaysdata.net email identities, breaking sender authenticity and undermining the integrity and reliability of the AlwaysData email system.

Thanks

Reference links:
https://drive.google.com/file/d/1iJY5OQev2Uz2aDDTFBLw3hhnhvYT77xf/view?usp=sharing

Closed by hdegorce
18.12.2025 13:52
Reason for closing: Invalid
Additional comments about closing:

No security flaw

Comments (7)
Related Tasks (0/0)

hdegorce commented on 17.12.2025 16:17

Hello,

There is no issue/security flaw on our side, you can use identities with any email software and addresses. You tried alwaysdata.net addresses, but you could have tried with other domains.

bugxhunter commented on 17.12.2025 16:25

Hello ,

Thanks for your response.

But my point is here that the attacker can use emails of the other registered users as shown in my poc too.

if user creates the mail address (vixtim@alwaysdata.net) for his own purposes in webmail

The issue is not about using arbitrary external addresses, but that the AlwaysData webmail allows sending emails using @alwaysdata.net addresses without verifying ownership or authorization. These are domain-owned identities, and the webmail does not restrict the “From” address to the authenticated user.

This results in cross-user impersonation within the AlwaysData domain, which is an authorization control issue.

Best regards,

hdegorce commented on 17.12.2025 16:31

You're referring to our webmail, where you're authenticated with your own `alwaysdata.net` email address, but you could do the same from any mail client.

bugxhunter commented on 17.12.2025 16:38

Hello hdegorce ,

The concern remains that the AlwaysData webmail itself permits changing the “From” address to other @alwaysdata.net identities without ownership validation. Since these addresses are AlwaysData-managed accounts, the webmail is effectively allowing authenticated users to act as other internal users.

This is a missing authorization check at the application level, regardless of whether other mail clients can also do this.

For scenario :

Lets say you have webmail account with mail (hdegorce@alwaysdata.net) with your creds .
But with this issue an attacker can easily impersonate as you, and can send mail by your mail id to any one.

If you want poc for that let me know your mail address i'll try to send the mail from the victim account.

Thanks

bugxhunter commented on 17.12.2025 16:49

No one would expect or want their email address to be used by someone else to send emails on their behalf.
For example, you would not want recipients to receive emails appearing to originate from your address when you did not send them yourself, as this breaks sender authenticity and undermines trust in the email system.

Thanks

hdegorce commented on 18.12.2025 13:52

But with this issue an attacker can easily impersonate as you, and can send mail by your mail id to any one.

An attacker can easily impersonate you even without that issue, as they could use any email application to do so.

bugxhunter commented on 19.12.2025 08:19

But how he using the mail addresses of your registered users without any authorization? Isn't that concerning to you?

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task