We discovered several Cross Site Scripting (XSS) bugs on many sites including Agari.com, Mimecast.com, Dmarcly.com, and others that have online tools which help website owners validate DNS records of domain names.
Our Cyber Lab team recently worked on a Domain-based Message Authentication, Reporting, and Conformance (DMARC) project, which reviewed email providers to see how they handled spoofed messages. We used our own test domain name so we could easily configure our own DMARC settings.
Using a standard DNS querying tool like ‘dig’ to verify records was enough but we also wanted to see if these “Online DMARC Checkers” were actually any good at identifying issues. The official DMARC website has a page for deploying and creating DMARC records and it also includes third party sites.
Agari provides email security services to enterprises helping them deal with phishing and spoofing attacks. It is also one of the co-founders of DMARC standard. During our banking investigation with Which?, we identified that Agari was used by many UK banks for DMARC reporting services.
A report is sent to the company’s email address (e.g. [email protected] or [email protected]) whenever an email fails authentication checks. The report contains information which is helpful for security analysts to detect phishing emails or other issues.
There are four online tools for checking domain records; DMARC, DKIM, BIMI and SPF records. Each tool has a web form where users can submit a domain name and click a button to process it.
Below is a screenshot of Agari’s website showing our payload loaded onto the page:
A security disclosure report was sent to their security team and within a few days they were able to fix the issues.
Mimecast is a well-known UK based company that provides email and web security services to a wide range of businesses and public organisations. Similar to Agari, Mimecast’s website contains a product called ‘DMARC Analyzer’.
Below is a screenshot of Mimecast’s website showing our payload loaded onto the page:
The issue we discovered revealed that the domain name could have been used to steal customers’ cookies and log-in sessions, attackers would also be able to bypass email filters for phishing emails containing links that whitelist the mimecast.com domain name. The payload would have redirected the victim to the intended destination URL.
A security disclosure report was written up, sent to their security team and the issue was fixed a few days later.
We found another company that provides DMARC reporting services called Dmarcly.com.
On 29th March 2021, we discovered that the Brand Indicator Message Identification (BIMI) checker was vulnerable to XSS. BIMI is made so that a company’s familiar logo or brand is included within the email address avatar. This is not widely supported by email providers.
Below is a screenshot of Dmarcly’s website showing our payload loaded onto the page:
A security disclosure report was written up and sent to their security team. The issue has now been resolved.
For the testing domain we used three types of DNS TXT records. A DMARC record, a DKIM record and a BIMI record. All the provided examples contain a simple HTML code which opens a dialog with the number ‘1’, as soon as the page is loaded.
A malicious TXT record (_dmarc.example.com) would look like this:
|v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:[email protected]; ruf=mailto:“</td><body onload=alert(1)>;|
A malicious TXT record (default._domainkey.example.com) would look like this:
|v=DKIM1; h=sha256; k=rsa; p=MIIBIjANB…wIDAQAB;
A malicious TXT record (default._bimi.example.com) would look like this:
We used Cloudflare for all of our testing.
This isn’t anything new. There have been many articles about researchers using malicious DNS records that exploit improper input validation on websites. Web developers sometimes forget to always treat user supplied input as hostile, including DNS records. All the vendors were notified about the issues. And after the 90 day period we have published this blog post. We would like to recognise Mimecast for quickly fixing the issue once they were notified.