1

I'm interested in testing the security of 'Unsubscribe' links embedded in emails sent to customers by large companies. I'm targeting companies participating in a certain bug bounty program, and my question is about scope:

If I think I've discovered a pattern in the generated unsubscribe links (the token in the url is being incremented, for example), I'll want to test that by navigating to a URL that, if successful, will unsubscribe some other user from company emails. Does this qualify as a breach of customer experience or data?

jandek
  • 11
  • 3
  • 3
    "customer experience" problems are not really what we deal with here and whether or not they are in scope of your bug bounty program is up to the program. – schroeder Jan 25 '19 at 19:41

1 Answers1

1

Yes, unsubscribing customers unwillingly is a security finding. It's hard to say how much that finding is "worth." Have you joined or read up on bug crowd or other centralized bug hunting and bounty programs? This kind of thing tends to go better if you are part of a "syndicate" instead of disclosing alone.

bashCypher
  • 1,839
  • 11
  • 21
  • Under what aspect of security is this a finding? – schroeder Jan 25 '19 at 19:42
  • Sorry, my question was unclear. I meant to ask whether unsubscribing a customer from email notifications in the course of testing would be considered a violation of scope, not whether the finding had merit. As @schroeder pointed out, I guess this comes down to the particulars of each organization's bounty contract. I'm very new, and I guess I was generally curious about how organizations handle cases of 'incidental damage' (however slight), like the one I described. – jandek Jan 25 '19 at 19:47
  • 2
    @mr_pb you need to raise the question with the bounty organiser – schroeder Jan 25 '19 at 19:51
  • @schroeder are you saying it's not or are you asking me to add that to this response? The ability to manipulate a web url for malicious intent is a application layer security (web) vulnerability and falls right inline with coupon hacking that's so prevalent (skimming coupons with badly designed api's with ++1 counters). – bashCypher Jan 25 '19 at 20:48
  • @bashCypher But what harm is experienced? In other words, what's the risk here? – schroeder Jan 25 '19 at 20:50
  • @schroeder denial of service, misuse of exposed assets, replacing the emails with clone ones as part of a phishing scheme... probably more. It might not be a 10, but it's a finding. Unless you ask the devs and then it's a feature – bashCypher Jan 25 '19 at 20:59
  • 2
    we talk about the CIA triad don't we? Confidentiality, Integrity and Availability. If you can unsubscribe other users, I would call it a breach of Availability. – mcgyver5 Jan 25 '19 at 21:09
  • @bashCypher and that's kind of my point. "Availability" is often in the eye of the beholder. The whole question is about scope and your answer doesn't address scope or define how it is a security finding. The answer here is to let the stakeholder decide. – schroeder Jan 26 '19 at 14:33