Secuirty spam from Amazon
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 27 Jun 2022 06:43:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1o5o4V-000ACY-A8
for dave@doctor.nl2k.ab.ca;
Mon, 27 Jun 2022 06:42:31 -0600
Resent-From: The Doctor
Resent-Date: Mon, 27 Jun 2022 06:42:31 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81]:43871)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@amazonses.com>)
id 1o5nM2-000CIz-IQ
for doctor@nk.ca;
Mon, 27 Jun 2022 05:56:40 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656330968;
h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;
bh=cW9jUGU03edE/Lbm1JGNS6wfZ6mli1DEfH+3p30jMoE=;
b=ctDUVMlxZq93P+vT8YMsznjRAuUFzo9mp9VF142ACXwAwCzPFRoVrlyNESKa7bjr
eFJwb4cT0/KI9nf90BvCEaM/QFt0oQMq2lyQxszn9sTWsIjchQdspxvy1UB3+mlC+xr
UwOZ+EKL9D1wde3O0wHroVtwEXf9YvtS6uyF/taY=
Subject: Session not expiring after password change via forgot link
From: Claire Samuel
To: "doctor@nk.ca"
Reply-To: Claire Samuel
List-Unsubscribe:,
Subscriber-Uid:ey9677xbfhf21 - Unsubscribe request&body=Please unsubscribe
me!>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Id: af726vv397a14
X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/mx001lfzwh6e2/report-abuse/af726vv397a14/ey9677xbfhf21
X-EBS: https://email.offensiveguards.io/latest/lists/block-address
Feedback-ID: 1.us-east-1.jUPIvFwI5WueMv7UjkxdV4UxLo/q5d3gibQe3k7gqaU=:AmazonSES
Message-ID: <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@email.amazonses.com>
MIME-Version: 1.0
Date: Mon, 27 Jun 2022 11:56:08 +0000
Content-Type: multipart/alternative; boundary=PbL8ZI_d
X-SES-Outgoing: 2022.06.27-54.240.8.81
--PbL8ZI_d
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello doctor,
Hope you are fine. As an=C2=A0independent security research=
er I have found
some bugs/vulnerabilities in your website.
Vulnerabilit=
y: Failure to invalidate session on forget password
I have observed that =
when we=C2=A0request=C2=A0a forgot password link it
updates the session i=
nstead of=C2=A0expiration. If an account=C2=A0is
logged=C2=A0in some acco=
unt and the password reset link=C2=A0is used=C2=A0the
other account will =
get updated but not expired.
Steps to reproduce:
1. Request a forgot pa=
ssword link.
2. Now login in another browser and then use the password re=
set link
in another browser.
3. You will notice that the password=C2=
=A0will be changed=C2=A0successfully
and the other browser will still be =
active with the account you opened
in it.
Impact:
If some account=
=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will not
be=C2=A0log=
ged out from that browser and=C2=A0will be logged=C2=A0in and=C2=A0can
be=
=C2=A0used for malicious activities.
Recommendations:
It should expire =
immediately when the password=C2=A0is changed.
Regards.
--PbL8ZI_d
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
=09Session not expiring after password change via forgot link</title=<br /><br />
><br /><br />
</head><br /><br />
<body>Hello doctor,<br /><br /><br />
Hope you are fine. As an=C2=A0independent security researcher I have found =<br /><br />
some bugs/vulnerabilities in your website.<br /><br /><br />
<br /><br /><br />
Vulnerability: Failure to invalidate session on forget password<br /><br /><br />
<br /><br /><br />
I have observed that when we=C2=A0request=C2=A0a forgot password link it up=<br /><br />
dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=<br /><br />
=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=<br /><br />
er account will get updated but not expired.<br /><br /><br />
<br /><br /><br />
Steps to reproduce:<br /><br /><br />
<br /><br /><br />
1. Request a forgot password link.<br /><br /><br />
2. Now login in another browser and then use the password reset link in ano=<br /><br />
ther browser.<br /><br /><br />
3. You will notice that the password=C2=A0will be changed=C2=A0successfully=<br /><br />
and the other browser will still be active with the account you opened in =<br /><br />
it.<br /><br /><br />
<br /><br /><br />
Impact:<br /><br /><br />
<br /><br /><br />
If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=<br /><br />
t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=<br /><br />
=C2=A0can be=C2=A0used for malicious activities.<br /><br /><br />
<br /><br /><br />
Recommendations:<br /><br /><br />
<br /><br /><br />
It should expire immediately when the password=C2=A0is changed.<br /><br /><br />
<br /><br /><br />
Regards. <input type=3D"hidden" value=3D"Claire Samuel<br /><br /><br />
1070 S Elmhu=<br /><br />
rst Rd <br /><br /><br />
Mt Prospect Delaware 60056<br /><br /><br />
United States<br /><br /><br />
, =<br /><br />
https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/ey9=<br /><br />
677xbfhf21/mx001lfzwh6e2" /></body><br /><br />
</html><br /><br />
--PbL8ZI_d--<br /><br />
</div>
<footer class="post-info">
<ul class="meta">
<li><span class="info-label">Categories: </span><a href="https://www.nk.ca/blog/index.php?/categories/65-Amazon-Spam">Amazon Spam</a></li>
<li><a href="/blog/index.php?/archives/2887-Secuirty-spam-from-Amazon.html#comments" title="0 Comments, 0 Trackbacks">0 Comments</a></li>
</ul>
</footer>
<!--
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"
xmlns:dc="http://purl.org/dc/elements/1.1/">
<rdf:Description
rdf:about="https://www.nk.ca/blog/index.php?/feeds/ei_2887.rdf"
trackback:ping="https://www.nk.ca/blog/comment.php?type=trackback&entry_id=2887"
dc:title="Secuirty spam from Amazon"
dc:identifier="https://www.nk.ca/blog/index.php?/archives/2887-Secuirty-spam-from-Amazon.html" />
</rdf:RDF>
-->
</article>
<article class="post clearfix">
<header>
<h2 class="post-title"><a href="/blog/index.php?/archives/2886-Security-spam-from-Amazon.html">Security spam from Amazon</a></h2>
<span class="post-info">Posted by <a href="https://www.nk.ca/blog/index.php?/authors/1-Dave-Yadallee">Dave Yadallee</a> on <time datetime="2022-06-27T15:59:00+00:00">Monday, June 27. 2022</time></span>
</header>
<div class="clearfix">
Return-path: <doctor@doctor.nl2k.ab.ca><br /><br />
Envelope-to: dave@doctor.nl2k.ab.ca<br /><br />
Delivery-date: Mon, 27 Jun 2022 06:43:01 -0600<br /><br />
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))<br /><br />
(envelope-from <doctor@doctor.nl2k.ab.ca>)<br /><br />
id 1o5o4N-000ABr-0f<br /><br />
for dave@doctor.nl2k.ab.ca;<br /><br />
Mon, 27 Jun 2022 06:42:23 -0600<br /><br />
Resent-From: The Doctor <doctor@doctor.nl2k.ab.ca><br /><br />
Resent-Date: Mon, 27 Jun 2022 06:42:22 -0600<br /><br />
Resent-Message-ID: <YrmlrpmO6u9zIkGm@doctor.nl2k.ab.ca><br /><br />
Resent-To: Dave Yadallee <dave@doctor.nl2k.ab.ca><br /><br />
Received: from a8-97.smtp-out.amazonses.com ([54.240.8.97]:51827)<br /><br />
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256<br /><br />
(Exim 4.95 (FreeBSD))<br /><br />
(envelope-from <01000181a504c74d-88bdf770-e679-48f6-b08a-9020da8e1786-000000@amazonses.com>)<br /><br />
id 1o5nLw-000CGs-Pi<br /><br />
for root@nk.ca;<br /><br />
Mon, 27 Jun 2022 05:56:33 -0600<br /><br />
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;<br /><br />
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656330962;<br /><br />
h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;<br /><br />
bh=sJMaHM0gOhug46EjZsCveztYT9jxYpwc/9e9nMnkX4g=;<br /><br />
b=TLv83h3t+66wZmrZTDdV/Fg/YR89m3YZ2GSDeet41duJ55UWMF4C3pBsFWXLjBiR<br /><br />
Es3Nj3TTgQ5lOWCnzvCpAoFt66vXMabZfAQLCVGk4ENlUfR0l4nlQnG1FtfgVOKYbM8<br /><br />
YdHUWCvbuol3bmD77zLdnKO1+jy/b2i8J5hVbQOA=<br /><br />
Subject: Vulnerability - Failure to invalidate session on forget password<br /><br />
link<br /><br />
From: Claire Samuel <claire@offensiveguards.io><br /><br />
To: "root@nk.ca" <root@nk.ca><br /><br />
Reply-To: Claire Samuel <claire@offensiveguards.io><br /><br />
List-Unsubscribe: <https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/hv0557rmh80d6/mx001lfzwh6e2?source=email-client-unsubscribe-button>,<br /><br />
<mailto:claire@offensiveguards.io?subject=Campaign-Uid:mx001lfzwh6e2 /<br /><br />
Subscriber-Uid:hv0557rmh80d6 - Unsubscribe request&body=Please unsubscribe<br /><br />
me!><br /><br />
List-Unsubscribe-Post: List-Unsubscribe=One-Click<br /><br />
List-Id: af726vv397a14 <Security Bug Report><br /><br />
X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/mx001lfzwh6e2/report-abuse/af726vv397a14/hv0557rmh80d6<br /><br />
X-EBS: https://email.offensiveguards.io/latest/lists/block-address<br /><br />
Feedback-ID: 1.us-east-1.jUPIvFwI5WueMv7UjkxdV4UxLo/q5d3gibQe3k7gqaU=:AmazonSES<br /><br />
Message-ID: <01000181a504c74d-88bdf770-e679-48f6-b08a-9020da8e1786-000000@email.amazonses.com><br /><br />
MIME-Version: 1.0<br /><br />
Date: Mon, 27 Jun 2022 11:56:02 +0000<br /><br />
Content-Type: multipart/alternative; boundary=2nIPpntA<br /><br />
X-SES-Outgoing: 2022.06.27-54.240.8.97<br /><br />
<br /><br />
--2nIPpntA<br /><br />
Content-Type: text/plain; charset=utf-8<br /><br />
Content-Transfer-Encoding: quoted-printable<br /><br />
<br /><br />
Hello root,<br /><br />
Hope you are fine. As an=C2=A0independent security researcher=<br /><br />
I have found<br /><br />
some bugs/vulnerabilities in your website.<br /><br />
Vulnerability:=<br /><br />
Failure to invalidate session on forget password<br /><br />
I have observed that wh=<br /><br />
en we=C2=A0request=C2=A0a forgot password link it<br /><br />
updates the session ins=<br /><br />
tead of=C2=A0expiration. If an account=C2=A0is<br /><br />
logged=C2=A0in some accoun=<br /><br />
t and the password reset link=C2=A0is used=C2=A0the<br /><br />
other account will ge=<br /><br />
t updated but not expired.<br /><br />
Steps to reproduce:<br /><br />
1. Request a forgot pass=<br /><br />
word link.<br /><br />
2. Now login in another browser and then use the password rese=<br /><br />
t link<br /><br />
in another browser.<br /><br />
3. You will notice that the password=C2=<br /><br />
=A0will be changed=C2=A0successfully<br /><br />
and the other browser will still be =<br /><br />
active with the account you opened<br /><br />
in it.<br /><br />
Impact:<br /><br />
If some account=<br /><br />
=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will not<br /><br />
be=C2=A0log=<br /><br />
ged out from that browser and=C2=A0will be logged=C2=A0in and=C2=A0can<br /><br />
be=<br /><br />
=C2=A0used for malicious activities.<br /><br />
Recommendations:<br /><br />
It should expire =<br /><br />
immediately when the password=C2=A0is changed.<br /><br />
Regards.<br /><br />
--2nIPpntA<br /><br />
Content-Type: text/html; charset=utf-8<br /><br />
Content-Transfer-Encoding: quoted-printable<br /><br />
<br /><br />
<!DOCTYPE html><br /><br />
<html><br /><br />
<head><meta charset=3D"utf-8"/><br /><br />
=09<title> Vulnerability - Failure to invalidate session on forget password=<br /><br />
link
Hello root,
Hope you are fine. As an=C2=A0independent security researcher I have found =
some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we=C2=A0request=C2=A0a forgot password link it up=
dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=
=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=
er account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in ano=
ther browser.
3. You will notice that the password=C2=A0will be changed=C2=A0successfully=
and the other browser will still be active with the account you opened in =
it.
Impact:
If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=
t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=
=C2=A0can be=C2=A0used for malicious activities.
Recommendations:
It should expire immediately when the password=C2=A0is changed.
Regards.
1070 S Elmhu=
rst Rd
Mt Prospect Delaware 60056
United States
, =
https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/hv0=
557rmh80d6/mx001lfzwh6e2" />
--2nIPpntA--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 27 Jun 2022 06:43:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1o5o4V-000ACY-A8
for dave@doctor.nl2k.ab.ca;
Mon, 27 Jun 2022 06:42:31 -0600
Resent-From: The Doctor
Resent-Date: Mon, 27 Jun 2022 06:42:31 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81]:43871)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@amazonses.com>)
id 1o5nM2-000CIz-IQ
for doctor@nk.ca;
Mon, 27 Jun 2022 05:56:40 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656330968;
h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;
bh=cW9jUGU03edE/Lbm1JGNS6wfZ6mli1DEfH+3p30jMoE=;
b=ctDUVMlxZq93P+vT8YMsznjRAuUFzo9mp9VF142ACXwAwCzPFRoVrlyNESKa7bjr
eFJwb4cT0/KI9nf90BvCEaM/QFt0oQMq2lyQxszn9sTWsIjchQdspxvy1UB3+mlC+xr
UwOZ+EKL9D1wde3O0wHroVtwEXf9YvtS6uyF/taY=
Subject: Session not expiring after password change via forgot link
From: Claire Samuel
To: "doctor@nk.ca"
Reply-To: Claire Samuel
List-Unsubscribe:
Subscriber-Uid:ey9677xbfhf21 - Unsubscribe request&body=Please unsubscribe
me!>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Id: af726vv397a14
X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/mx001lfzwh6e2/report-abuse/af726vv397a14/ey9677xbfhf21
X-EBS: https://email.offensiveguards.io/latest/lists/block-address
Feedback-ID: 1.us-east-1.jUPIvFwI5WueMv7UjkxdV4UxLo/q5d3gibQe3k7gqaU=:AmazonSES
Message-ID: <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@email.amazonses.com>
MIME-Version: 1.0
Date: Mon, 27 Jun 2022 11:56:08 +0000
Content-Type: multipart/alternative; boundary=PbL8ZI_d
X-SES-Outgoing: 2022.06.27-54.240.8.81
--PbL8ZI_d
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello doctor,
Hope you are fine. As an=C2=A0independent security research=
er I have found
some bugs/vulnerabilities in your website.
Vulnerabilit=
y: Failure to invalidate session on forget password
I have observed that =
when we=C2=A0request=C2=A0a forgot password link it
updates the session i=
nstead of=C2=A0expiration. If an account=C2=A0is
logged=C2=A0in some acco=
unt and the password reset link=C2=A0is used=C2=A0the
other account will =
get updated but not expired.
Steps to reproduce:
1. Request a forgot pa=
ssword link.
2. Now login in another browser and then use the password re=
set link
in another browser.
3. You will notice that the password=C2=
=A0will be changed=C2=A0successfully
and the other browser will still be =
active with the account you opened
in it.
Impact:
If some account=
=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will not
be=C2=A0log=
ged out from that browser and=C2=A0will be logged=C2=A0in and=C2=A0can
be=
=C2=A0used for malicious activities.
Recommendations:
It should expire =
immediately when the password=C2=A0is changed.
Regards.
--PbL8ZI_d
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
=09
Hello root,
Hope you are fine. As an=C2=A0independent security researcher I have found =
some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we=C2=A0request=C2=A0a forgot password link it up=
dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=
=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=
er account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in ano=
ther browser.
3. You will notice that the password=C2=A0will be changed=C2=A0successfully=
and the other browser will still be active with the account you opened in =
it.
Impact:
If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=
t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=
=C2=A0can be=C2=A0used for malicious activities.
Recommendations:
It should expire immediately when the password=C2=A0is changed.
Regards.
1070 S Elmhu=
rst Rd
Mt Prospect Delaware 60056
United States
, =
https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/hv0=
557rmh80d6/mx001lfzwh6e2" />
--2nIPpntA--