Disposable mail Responsible Disclosure Program | Disposable mail Blog – 10 minute mail

As of today, researchers can report security issues in Disposable mail services to earn a spot on our Hall of Fame as well as some cool prizes. The Disposable mail team has participated in most Responsible Disclosure programs out there and we felt the time is here to have one of our own.

But our service is made for finding web vulnerabilities, how come we need a Disclosure program? Well. Even though our services are based around finding security bugs in web applications, we are not as naive as to think that our own applications are 100% flawless. We take security issues seriously and will respond swiftly to fix verifiable security issues. If you are the first to report a verifiable security issue, we’ll thank you with some cool stuff and a place at our hall of fame page.

How does the reporting process work?

It’s a 5 step process:

  • A researcher sends a mail using the correct template to [email protected]
  • The researcher will get an automatic response confirming that we have acquired the issue
  • A support case is automatically created
  • The person assigned to the support case responds to the researcher, verifying the issue
  • The issue is patched and the researcher is showered in eternal

What bugs are eligible?

Any typical web security bugs such as:

  • Cross-site Scripting
  • Open redirect
  • Cross-site request forgery
  • File inclusion
  • Authentication bypass
  • Server-side code execution

What bugs are NOT eligible?

Any typical low impact/too high complexity such as:

  • Missing Cookie flags on non-session cookies or 3rd party cookies
  • Logout CSRF
  • Social engineering
  • Denial of service
  • SSL BEAST/CRIME/etc

So what are you waiting for?

Sign up for Disposable mail here.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How we got read access on Google’s production servers – 10 minute mail

Few things are better than a good ethical hacking challenge and what could be more fun than finding a target that can be used against itself? Find out how the Disposable mail team hacked their way to read access to Google’s production servers.

To stay on top on the latest security alerts we often spend time on bug bounties and CTFs. When we were discussing the challenge for the weekend, Mathias got an interesting idea: What target can we use against itself?

Of course. The Google search engine!

What would be better than to scan Google for bugs other than by using the search engine itself? What kind of software tends to contain the most vulnerabilities?

  • Old and deprecated software
  • Unknown and hardly accessible software
  • Proprietary software that only a few people have access to
  • Alpha/Beta releases and otherwise new technologies (software in early stages of it’s lifetime)

For you bounty hunters, here’s a tip:

Google Dork

By combining one thing with another, we started Google dorking for acquisitions and products to antique systems without any noticeable amount of users.

One system caught our eyes. The Google Toolbar button gallery. We looked at each other and jokingly said “this looks vuln!”, not knowing how right we were.

Not two minutes later we noticed that the gallery provides users with the ability to customize their toolbar with new buttons. If you’re a developer, you’re also able to create your own buttons by uploading XML files containing various meta data (styling and such).

Fredrik read through the API specifications, and crafted his own button containing fishy XML entities. The plan was to conduct an XXE attack as he noticed the title and description fields were printed out when searching for the buttons.

The root cause of XXE vulnerabilities are naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms.

Nevertheless. The file got uploaded… and behold! First try:

/etc/passwd

Second try (for verification purposes):

/etc/hosts

Boom goes the dynamite.

What you see here is the /etc/passwd and the /etc/hosts of one of Google’s production servers. Our payloads served as a proof of concept to prove the impact. We could just as well have tried to access any other file on their server, or moved on to SSRF exploitation in order to access internal systems. Too say the least, that’s pretty bad.

We contacted Google straight away while popping open some celebration beers. After 20 minutes we got a reply from Thai on the Google Security Team. They were impressed. We exchanged a few emails on the details back and forth during the coming days. In our correspondence we asked how much the vulnerability was worth. This is what we received as reply:

XXE Meme

The bottles (or whatever it is that falls out), turned out to be worth $10.000, enough to cover a road trip through Europe.

tl;dr: We uploaded a malicious XML to one of Google’s servers. Turned out to be a major XXE issue. Google financed an awesome road trip for the team.

Thanks for reading.

Written by: Fredrik
Co-Author: Mathias

If Google can get hacked, are you sure your service is secure? Disposable mail is an automated security monitoring service that tests your website for over 700 vulnerabilities. Sign up for a free trial and check your site’s security»


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Team event – Disposable mail Sailing – 10 minute mail

The Disposable mail team took a day off in order to explore the archipelago outside Stockholm from the sea side. It was a great day blessed with sunshine and just enough sea breeze.

The sailing took us from Saltsjöbaden and on a tour heading east out in the archipelago. In the beginning we experienced light winds that picked up in the afternoon when we were sailing 10 knots with a 20 knots headwind. After a day of sailing we moored in a bay where we enjoyed some well deserved dinner, some swimming, slacklining, hiking and just had a great time. The day after we set sail back to the city.

Here are some pictures from the day.

So these are the things we do when we are not working on making the internet a safer place. Do you think this is cool and want to join our team?

Take a look at our open positions here!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Integration] You can now integrate Disposable mail with Slack – 10 minute mail

Slack is the first of Disposable mail’s workflow integrations. One of the many advantages of Slack is that it’s a single point of contact for all the tools you and your team use. Using this integration, your whole company can start to see security and vulnerability scanning as part of their workflow. You’ll be able to ping a Slack channel with Disposable mail scan starts, finishes, and findings, so you can get on top of anything critical right away.

Seeing the site scans in a Slack channel also means it will start to get your team used to thinking about security as an ongoing concern, rather than something to react to once it’s too late. Soon it will be so second nature to everyone that it’ll seem strange that security was ever seen as a separate function.

Slack Disposable mail Integration

Head over to our Knowledge Base and check out the tutorial on How to set up your integration with Slack!

Happy scanning!
//The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

GUIDE: The false positive report process – 10 minute mail

My name is Linus Särud. I’m a Disposable mail Security Researcher and responsible for incoming support emails. Going forward, we will identify popular subjects from the Disposable mail support and write about them on our blog, for a more open and transparent communication with our users. This is both to ensure that you use our product in the best way possible, and to give attention to those of our users who continuously help us improve our service for it to be as accurate as possible.

We have received some questions about false positives, so this seemed like a good subject to start with.

What exactly happens when you report a false positive?
Disposable mail has identified over a million vulnerabilities on the websites that were scanned. . Less than <0.1% of all those are reported as false positives. False positives are findings that are detected as vulnerabilities when they actually are not – and we are working hard to minimize the occurrence of these to ensure a more accurate result.

When you report a false positive (i.e., a vulnerability that isn’t really a vulnerability), mainly three things happen:

• The finding is marked as a false positive in the report.

• The false positive status is saved in a database, so that we can filter out similar findings in future reports. .

• An email is sent to an employee who handles these cases for each report. That’s usually me. We make sure to follow up on every report manually.

Individual review of all reports
As we manually review every false positive report it helps if you are detailed in your description in the report. This applies to all kinds of questions and feedback that you send to the Disposable mail support.

• In cases where we can confirm that the vulnerability actually exists, and therefore is not a false positive, we try to explain this to the user, as there has clearly been some kind of misunderstanding.

• In cases where we fail to confirm the vulnerability, and that it’s therefore likely to be an actual false positive, we file a report in an internal bug tracker. These reports are then reviewed by the developers of the web service.

When it has gone through these steps and it is confirmed to be a valid false positive, we try to find the issue, fix it and then add it to a future release.

So by reporting false positives you help improving Disposable mail. Thank you for this and keep reporting!

Linus Särud
Security Researcher
@_zulln


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Integration] You can now integrate Disposable mail with HipChat – 10 minute mail

HipChat is another one of Disposable mail’s workflow integrations – there are still many more to come! Set up your integration with HipChat to add security and vulnerability scanning in your workflow in a straightforward and easy way, and start shipping safer code.

When you connect Disposable mail to your HipChat account you will be able to get notified when a scan has started or finished and/or when a vulnerability has been found. You will receive the notification to the channel of your choice. This makes it easy to keep track of the security level of your site without having to log in to Disposable mail.

HipChat Integration

Check out our tutorial to learn how to set up the integration!

Happy scanning!
//The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to make sure your site is secure before releasing it to the public – 10 minute mail

Most developers today know that one should run unit tests and integration tests before pushing things live. But not all developers know how to test if their site is secure.

Development or staging environments usually aren’t accessible from the internet, but there is a solution and that solution is called ngrok. ngrok is a tool that creates a secure tunnel to a closed environment, which is perfect for granting Disposable mail access.

For a complete guide, read How to set up your staging environment using ngrok and Disposable mail in our knowledge base.

Disposable mail ngrokDo not hesitate to reach out at [email protected] if you want help setting it all up.

Happy scanning!
//The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

The 7 biggest web security news of 2015 – 10 minute mail

Below, the Disposable mail team has listed some of the largest security news and breaches of the past year, that have had a great impact on the security and privacy of both companies and individuals. Let’s make it a new year’s resolution to be more web-secure next year, shall we?

The Ashley Madison hack leaking cheaters’ user data

The online cheating site AshleyMadison.com was hacked in July, leaking out email addresses and account details from 32 million site members. Avid Life Media (ALM), Toronto-based parent company of AshleyMadison, also had sensitive internal data leaked. The hackers, calling themselves “The Impact Team”, performed the hack as a response to the site’s unethical mission of arranging affairs between married people, as well as a comeback to ALM for charging $19 from their users for a “total delete” of account information-function, which in reality didn’t work. Passwords on the live site were hashed using a bcrypt algorithm. ALM have announced a bounty hunt for the hackers, but with no result so far.
(Read more on fortune.com )

Google Chrome Extensions sharing your private browsing history

Earlier in November, the Disposable mail team could confirm that popular Google Chrome Extensions were constantly tracking you per default, and making it very difficult or even impossible to opt-out. By downloading certain extensions from the Chrome Web Store, users automatically agreed to the aggressive tracking. These extensions receive your complete browsing history, all your cookies, your secret access-tokens used for authentication (i.e., Facebook Connect) and shared links from sites such as Dropbox and Google Drive. Our findings were picked up by media like BBC and Observer.

– Since the publication, all of the Chrome Extension mentioned turned off the tracking script per default, and some of the extensions were also completely disabled by the Google Chrome Web Store team. The Firefox extension mentioned was disabled until the maintainer removed the tracking script and submitted a new version without tracking, says Frans Rosén, Knowledge Advisor at Disposable mail.

Let’s encrypt is now trusted by all major browsers

Let’s encrypt – a free, automated, and open certificate authority (CA) – announced in October that they are now trusted and supported by all major browsers. The free SSL/TLS certificate encrypts all the Internet traffic passed between a site and its users, supporting a secure browsing experience. The company wants to see HTTPS become the standard for all websites. Let’s Encrypt entered Public Beta in the beginning of December, and can now be installed through their site.

(Read more on letsencrypt.org )

CIA Director John Brennan’s private email hacked

CIA Director John Brennan’s personal AOL email account was hacked in October, in what Brennan calls a case study showing the challenges that face national security in the modern age. A high school student claimed to be behind the the hack, saying he obtained access to the account by posing as a Verizon worker, tricking another employee into revealing login information. Sensitive information from Brennan’s email was later published on Wikileaks, like Social Security Numbers of both Brennan and his family as well as of some US intelligence officials. Earlier in the year Hillary Clinton’s private server and email account were also hacked, and she has been criticized since for using her private email to do official work, and in a sense risking national security. (Read more on wired.com )

Crowdfunding site Patreon hacked – despite warnings

The crowdfunding site Patreon got hacked in October, leaking 2.3 million unique email addresses, as well as information on who had supported what projects and the conversations users had had between each other. Disposable mail reported a specific Remote Code Execution to Patreon prior to the breach, due to Werkzeug Debugger. We believe that the public debugger was the attack method due to the simplicity and availability of the vulnerable endpoint. Read our full blogpost on the hack here.

There are still thousands of publicly available instances of Werkzeug Debugger out there, causing a security breach for many more sites. To prevent it from happening to you, it is important to remember that the Werkzeug Debugger should only be used in testing environments and not when putting a site up online.

– Patreon thanked us after the disclosure, in terms of getting the information out, since more companies were affected. They also paid a bug bounty for the finding,
says Frans Rosén, Knowledge Advisor at Disposable mail.

Experian hack affecting 15 million people

The hack of Experian, one of the largest data brokers in the world, leaked personal information from around 15 million people, many of them T-Mobile customers who had used Experian to apply for credit checks. Names, addresses, and social security, driver’s license and passport numbers are assumed to have been leaked. Experian, being a data broker, is paradoxically often trusted by other companies to anonymize personal information. The hack is the most recent in a series of data breaches affecting organizations from the US government’s Office of Personnel Management to Target. (Read more on theguardian.com )

VTech hack leaking personal information of both parents and children

Chinese digital toy company VTech’s app store database Learning Lodge was hacked in November, exposing personal information of about 4.8 million parents and 200,000 children. The hack has been deemed among the biggest hacks ever documented, and the leaked information makes it possible to link listed kids to their parent. The hacker claimed there was no reason behind the hack, and appears to have shared the breached data only with the staff at tech news site Motherboard who first covered the story. However, it can’t be ruled out that the data may also have been sold to a third party. (Read more on motherboard.vice.com )

“Unfortunately more websites will be hacked in 2016”


Disposable mail co-founder and security researcher Fredrik Almroth Nordberg summarizes the consequences of the biggest security breaches of 2015, and predicts how web security will develop in 2016.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

First encounters through the eyes of the Disposable mail scanner – 10 minute mail

What do typical websites look like through the eyes of our vulnerability scanner the first time they are tested? How does that picture change over time? Take a look behind the scenes, in the first of a long series of insights into our data.

In 2015 we have tracked down over 2 million vulnerabilities in more than 20 thousand websites all around the world, about once every other eye blink in the sole month of November. These, of course, cover a wide variety of security flaws and are classified on-the-fly with respect to their characteristics and overall impact according to the Common Vulnerability Scoring System (CVSS) specifications.

From this point of view, every website appears to be very peculiar in its own way, as typically the number of vulnerabilities increases with the size of the website itself, and their severity is highly dependent on many different factors. We asked ourselves if we could identify common weaknesses and if we could illustrate somehow a typical website with respect to its vulnerability status.

Such picture is shown in the bubble chart below, which represents a typical website as it is seen through the eyes of our vulnerability scanner the first time that it is tested.

Disposable mail Vulnerability Scanner

Each bubble represents a specific vulnerability.

The bubbles come in three different colors, corresponding to our categorization of vulnerabilities according to their severity:

  • in red the most critical ones with a CVSS score bigger or equal than 6;
  • in yellow those with a CVSS score bigger or equal than 3 and smaller that 6;
  • in blue the lower severity ones with a CVSS score bigger than zero and smaller than 3.

The size of each bubble is proportional to the frequency with which the vulnerability that it represents is found over all the websites that we tested. Such frequency is shown as a percentage in the for the most frequent vulnerabilities.

To make the long story short, with the risk of oversimplifying the whole picture, we can say that the smaller a bubble is, the less a vulnerability is likely to be found. And everything looks also more secure when bigger percentages are in yellow or, even better, blue bubbles.

What vulnerabilities are mostly found during the first test?
The majority are medium and low severity ones, i.e. yellow and blue bubbles, with Missing DNSSEC showing up in about 85% of the cases, followed with SSL BEAST found in 48% of the cases. The most relevant medium severity vulnerabilities are instead Cookie is not set to be HttpOnly and Technology Disclosure, which are respectively found in 74% and 72% of all the cases. Finally, among the most harmful ones, Login Cross Site Request Forgery is the most common one, found in 33% of all the cases.

What happens after the first test?
Quite interestingly, despite the size of yellow and blue bubbles change quite a lot after the first test, there are 4 red bubbles which are always at the top of the list among the most found critical vulnerabilities.

Top 4 critical vulnerabilities found on websites

  • Login Cross Site Request Forgery (CSRF/XSRF)
  • Email Spoofing / Missing SPF Records
  • Potential Vulnerabilities In The Web Server
  • Cross Site Scripting

All in all, hopefully you have found this helpful to prevent some of the weak spots that we most frequently find in websites.

Until next time, and may all the bubbles shrink!

Andrea Palaia
Data Scientist, Disposable mail
@_endriu


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail is #4 on Internetworld’s 2015 startup list – 10 minute mail

2015 ended on a high note for Disposable mail!

Internetworld published their annual list of Sweden’s most exciting startups and we’re #4! Internetworld’s list is a yearly selection of the most promising Swedish startups and we are thrilled to be featured together with 24 other companies such as Trueflow, Visiba, and this year’s winners, Kry.

Disposable mail 4th on Internetworld's Startup List

“It has been a great year for Disposable mail and it is an honour to be on the list with other promising startups. Being selected confirmed that we are doing important work and that web security is a growing concern for companies in all fields of business,” says Rickard Carlsson, CEO of Disposable mail.

We are looking forward to making the internet a safer place in 2016!
//The Disposable mail Team

Startuplistan logo

Disposable mail’s other awards

  • Super talents of 2015 (Veckans affärer)
  • Security experts of the future (Symantec)
  • International Startup Award (Launch Festival)

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.