Vulnerability Notification about Email Auto-configuration
Hello all,
I've been sent an email which initially I was cautious of but while I may not fully understand the issue, it seems legit in the way that someone is not posting links but offering the info up to advise (though of course it could be a very clever way to gain trust). The email is as follows:
- - -
I am a security researcher at USTC, China. Recently, our group has discovered some defects around email auto-configuration [1, 2, 3, 4] regarding the process of transmitting configuration information between client and server and would like to inform you about issues in your server.
- Transmitting configuration information over plaintext connections. It is well known that there is no security in plaintext HTTP connections. If possible, always use HTTPS to transmit configuration file to avoid man-in-the-middle attackers from tampering with the contents of the configuration file. For HTTP requests from clients, administrators should redirect to HTTPS paths, e.g., a 301 redirect.
Please double-check your auto-configuration deployment against the URL paths as shown in the attached figure yourself or contact your service providers. If you have any other concerns, don't hesitate to contact me.
- - -
Could someone shed some light on this and if it's an issue that needs looking at on my server or how WHM works?
Thanks in advance.
-
Hey there! This sounds like a scam to me - all cPanel services are secured by default, and there are always secure options to connect to email and https.
1 -
Thank you!
My assumption would be that all standard protocols and services offered as part of cPanel would be fully secure so not sure if this is a rather technical way to present opening contact for someone phishing or spamming.
0 -
Hi there,
I received the same e-mail, and I also think it is legit because the sender didn't ask us for anything. Digging a bit into the issue, I confirmed that autodiscover is accessible without SSL:
http://autodiscover.mydomain.com/autodiscover/autodiscover.xml?email=myemail@mydomain.comThe only sensitive information here is the e-mail address that could be captured. I'm not sure if some e-mail client also send other data to this url.
1 -
Yes Ruiz, the way in that the email was worded and presented seemed like advice and not in any way an action to do anything.
Rex may be able to feedback on the ramifications or if this needs looking at any further. I can appreciate it's a low priority issue to the best of my knowledge.0 -
No, there isn't anything you need to do on the server for this message. Look at it this way - why would a random researcher from China contact you? Does that seem legit?
0 -
I mean, no BUT I deal with 10's of emails sent to me from clients every week and there's loads of clues as to why they are not to be trusted. This one though struck me differently, also like how Ruiz said.
More importantly if there's no harm that can be done for what they're saying (the URL being accessible from HTTP) then we can ignore this. I lean on your knowledge and expertise.0
Please sign in to leave a comment.
Comments
6 comments