"Student Crashes Cloudflare Beta Party, Redirects Email, Bags a Bug Bounty"
A Danish ethical hacker gained unauthorized access to a closed Cloudflare beta and discovered a vulnerability that a cybercriminal could have exploited to hijack and steal someone else's email. Albert Pedersen, the student who reported the critical vulnerability to Cloudflare through the company's bug bounty program and was rewarded $3,000. He stated that he notified the company shortly after discovering the vulnerability on December 7. Cloudflare fixed the flaw within a few days, according to a timeline on HackerOne, which manages the bounty program. However, the vulnerability was not publicly disclosed until July 28. Cloudflare, which primarily handles content distribution and website security, announced its Email Routing service in September 2021, initially making it available as a private beta program. Customers can use the service to create and manage custom email addresses for their domains, as well as have them redirect their mail to specific addresses. Pedersen's first challenge was getting into this private beta. Cloudflare Email Routing was in closed beta when Pedersen discovered the vulnerability, with only a few domains granted access. He infiltrated the program by manipulating the data sent from Cloudflare's backend servers to the Cloudflare dashboard, which was open in his browser. He used his computer's Burp suite to intercept the response and replace 'beta': false with 'beta': true, thus making the dashboard think he had been granted beta access. Once inside, he configured Email Routing for one of his domains so that email sent to a custom address at that domain was routed to his personal Gmail account. This article continues to discuss the ethical hacker's infiltration into a closed Cloudflare beta and the discovery of a vulnerability that could have allowed cybercriminals to steal email.
The Register reports "Student Crashes Cloudflare Beta Party, Redirects Email, Bags a Bug Bounty"