06 January 2009

Application Data Flows by Email

It is very common to find web applications where part of the business process, not just acknowledgements, is undertaken using electronic mail. These processes need to be designed securely and tested as well.

I've mentioned previously in Keep The Emails Coming about testing email alerts used for errors, problems and other unusual conditions, but it's common for email also to be used as a short-cut for developing some parts of business processing.

A recent project I was working on included an link to unsubscribe from marketing emails. Clicking on the link gave a slightly sparse single phrase confirmation—not particularly usable and it didn't validate me in any other way or notify me of the change by anything other than the screen message, but it was probably okay for the type of system.

Partial screen capture showing the words 'You have been successfully unsubscribed' that appeared after clicking on an unsubscribe link

However, within a few minutes I had received another email - an auto-responder:

Partial screen caputure of the email message with nthe subject line 'Your message to Admins requires moderator approval', from 'admins-bounes@...' and stating: Your mail to Admins with the subject A contact has unsubscribed from your list ****** Is being held until the list moderator can review it for approval. The reason it is being held: Post by non-member to a members-only list Either the message will get posted to the list, or you will receive notification of the moderator's decision. If you would like to cancel this posting, please visit the following URL: http://******/mailman/confirm/admins_******/...

Very interesting. What does this tell us?

  • There is an administration mailing list
  • The unsubscribe process sent a message to the administration list with my email address as the sender
  • Posting to the list is restricted to certain people, and thus could be a way to identify administrator's email addresses
  • The list may be using Mailman, the GNU Mailing List Manager
  • The list administration address begins with /mailman/confirm/admins_******/

And, I suppose the implication is my email address has not been removed from the mailing list yet.

If this were a web application penetration test, it might be that some of the mailing list administrative usernames and perhaps passwords are the same as for the web application. Or, content of messages in the list contains useful information to help access the web application. The email responder is sending too much information, and actually this message shouldn't be being sent to a subscriber at all, and the information leakage then stems from using the subscriber's email address as the sender.

So, remember a web application's security is only as good as its weakest link. The security architecture needs to address the whole business process, not just the web page parts.

Posted on: 06 January 2009 at 12:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Application Data Flows by Email
http://www.clerkendweller.com/2009/1/6/Application-Data-Flows-by-Email
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/1/6/Application-Data-Flows-by-Email
Requested by 38.107.179.220 on Tuesday, 7 February 2012 at 21:10 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2012 clerkendweller.com