New Video from @NahamSec: Exploring Email Server and Database Inconsistencies

In this video, Yasha Shangada, a security researcher and bug hunter, along with his colleague Amir, explores a fascinating vulnerability related to inconsistencies between mail servers and databases. This inconsistency, often due to disagreements in the handling of special characters, can lead to sophisticated and lucrative attacks. Yasha begins by emphasizing the importance of inconsistencies in the field of security, describing them as the root of many bugs. He uses the example of HTTP request smuggling to illustrate how these inconsistencies can be exploited. He then focuses on a specific vulnerability in the password reset functionality, using a mail server and a MySQL database. The problem arises when the SMTP server and the MySQL database handle certain special characters differently. For example, the SMTP server may consider two versions of a character (such as "A" and "Å") as distinct, while MySQL treats them as identical due to its default collation settings. This difference in handling can be exploited to take control of a user account. Yasha explains that if an attacker enters a "punycode" version of an email address (for example, using special characters), MySQL may convert this address to a valid existing address in the database. If the SMTP server then sends the password reset link to the punycode address, the attacker can intercept this link and take control of the victim's account. Amir then takes the stage to demonstrate this attack in action. He shows how an attacker can use this technique to take control of any user account by entering a punycode version of the victim's email address in the password reset section. He uses Burp Suite to send the payload and shows that the reset link is sent to the email address controlled by the attacker. Yasha and Amir also discuss other attack scenarios, such as email trust issues with OAuth providers and OAuth provider URL redirects. They mention that sites like GitLab can be vulnerable to this attack if developers do not properly verify the email addresses returned by OAuth providers. They conclude by emphasizing that this vulnerability is easy to test and can be very lucrative for bug hunters. They encourage researchers to explore other attack vectors based on this inconsistency and to share their findings online. In summary, this video provides a detailed and practical overview of a common but often overlooked vulnerability in web applications. It shows how inconsistencies between different layers of an application can be exploited for account takeover attacks, and it provides concrete examples and demonstrations to illustrate these concepts.