Skip to content

BridgedDB can be forced to email arbitrary email addresses

See #12086 (moved).

From this commit message for this unittest:

BridgeDB will accept an email from an arbitrary gmail/yahoo email address at the SMTP layer, and then send the reply to a different arbitrary gmail/yahoo email address taken from the contents of the email headers.

As you can see in the example...

(in the ticket description of #12086 (moved))

the SMTP command

{{{ MAIL FROM: isisgrimalkin@gmail.com }}}

combined with a 'From: isislovecruft@gmail.com' in the email headers within the SMTP DATA segment caused the reply to be sent the reply to the later, when it came from the former.

While this was done quick-and-dirty with netcat, it's probably possible to configure msmtp to send a the same SMTP commands/info with embedded email headers still specifying an arbitrary email address, such that Gmail/Yahoo would produce a valid DKIM signature for it and pass it along to BridgeDB. (And thus the issue isn't merely that DKIM verification appears to be broken, but the issue is that we're not checking that source of an incoming email matches the destination of the response.)

In addition, the person reading such a unsolicited response from BridgeDB also has no way to know who originally emailed BridgeDB to cause this email to end up in her inbox in the first place.

I'm not exactly certain if this is a bug or a feature. While it could be used for sending some junk to an arbitrary gmail/yahoo address, it could also be used as a sort of

"Dear BridgeDB, can I have some bridges? Asking for a friend."

mechanism.

I'm guessing that we're likely to see more use of it for the former, more malicious activity than the latter benevolent one, and so we should probably consider this a pretty serious bug.

Side note:

All the bugs found with that unittest were present in older versions of BridgeDB, and possibly have always been present, and they don't appear to be resultant from my recent rewrite of the email servers (as sysrqb noted, my rewrite retained portions of the old codebase). I just wanted to point that out so that I'm not blamed for introducing them. Unfortunately, I didn't catch this while staring at the code for several hours. (But hiphiphooray for unittests! :D )

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information