|
Task Description
Summary:
Hi team, hope you are doing well.
During security testing of the AlwaysData webmail service, I identified a vulnerability that allows an attacker to send emails while impersonating any AlwaysData user account (e.g., anyuser@alwaysdata.net) without authentication or authorization.
This flaw enables a malicious actor to fully spoof internal user identities via the webmail interface, making the emails appear legitimate and trusted.
Description:
Improper authorization in AlwaysData webmail allows an attacker to send emails on behalf of any registered @alwaysdata.net user without authentication, resulting in unauthorized account impersonation and loss of email integrity across the domain.
Severity:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 High
Steps to Reproduce:
1. Open the AlwaysData webmail interface.(https://webmail.alwaysdata.com/?from_roundcube=1)
2.Navigate to the (https://webmail.alwaysdata.com/roundcube/?_task=settings&_action=identities)
In the “Email” field, manually specify any valid AlwaysData email address
(e.g., victimuser@alwaysdata.net) that does not belong to the authenticated session.
3. Save it
4. Compose email select the victim mail.
5.Enter any recipient email address.
6.Send the email.
Observe that the email is successfully delivered and appears to originate from the impersonated AlwaysData user, despite no authorization or ownership validation.
Expected Result
The system should restrict the sender address to only the authenticated user’s own email identity.
Actual Result
Emails can be sent using any registered @alwaysdata.net address without authorization.
Poc:
Added short video poc for confirmation
(https://drive.google.com/file/d/1iJY5OQev2Uz2aDDTFBLw3hhnhvYT77xf/view?usp=sharing)
Impact:
This vulnerability allows unauthorized use of trusted @alwaysdata.net email identities, breaking sender authenticity and undermining the integrity and reliability of the AlwaysData email system.
Thanks
|
