[tor-bugs] #12089 [BridgeDB]: BridgedDB can be forced to email arbitrary email addresses

[Tor Bug Tracker & Wiki]

#12089: BridgedDB can be forced to email arbitrary email addresses
--------------------------------------+----------------------
 Reporter:  isis                      |          Owner:  isis
     Type:  defect                    |         Status:  new
 Priority:  critical                  |      Milestone:
Component:  BridgeDB                  |        Version:
 Keywords:  bridgedb-email, security  |  Actual Points:
Parent ID:                            |         Points:
--------------------------------------+----------------------
 See #12086.

 From
 [https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e
 this commit message] for
 [https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326
 this unittest]:

 > BridgeDB will accept an email from an arbitrary gmail/yahoo email
 address at the SMTP layer, and then send the reply to a *different*
 arbitrary gmail/yahoo email address taken from the contents of the email
 headers.
 >
 > As you can see in the example...

 (in the ticket description of #12086)

 > the SMTP command
 >
 > {{{
 > MAIL FROM: isisgrimalkin at gmail.com
 > }}}
 >
 > combined with a `'From: isislovecruft at gmail.com'` in the email headers
 within the SMTP `DATA` segment caused the reply to be sent the reply to
 the later, when it came from the former.

 While this was done quick-and-dirty with netcat, it's probably possible to
 configure msmtp to send a the same SMTP commands/info with embedded email
 headers still specifying an arbitrary email address, such that Gmail/Yahoo
 would produce a valid DKIM signature for it and pass it along to BridgeDB.
 (And thus the issue isn't merely that DKIM verification appears to be
 broken, but the issue is that we're not checking that source of an
 incoming email matches the destination of the response.)

 > In addition, the person reading such a unsolicited response from
 BridgeDB also has no way to know who originally emailed BridgeDB to cause
 this email to end up in her inbox in the first place.
 >
 > I'm not exactly certain if this is a bug or a feature. While it could be
 used for sending some junk to an arbitrary gmail/yahoo address, it could
 also be used as a sort of
 >
 >    "Dear BridgeDB, can I have some bridges? Asking for a friend."
 >
 > mechanism.

 I'm guessing that we're likely to see more use of it for the former, more
 malicious activity than the latter benevolent one, and so we should
 probably consider this a pretty serious bug.
 -----------------------------------------------------------------------------

 Side note:

 All the bugs found with that unittest were present in older versions of
 BridgeDB, and possibly have always been present, and they don't appear to
 be resultant from my recent rewrite of the email servers
 ([https://trac.torproject.org/projects/tor/ticket/5463#comment:21 as
 sysrqb noted], my rewrite retained portions of the old codebase). I just
 wanted to point that out so that I'm not blamed for introducing them.
 Unfortunately, I didn't catch this while staring at the code for several
 hours. (But hiphiphooray for unittests! :D )

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12089>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online