DEV Community

Cover image for WhiteHat report: Cloudflare Email worker
Rastislav ₡ORE
Rastislav ₡ORE

Posted on

WhiteHat report: Cloudflare Email worker

Email worker and email redirection are dropping the valid emails.

Email routes and workers exclude addresses with a "plus" addressing field. This made the service unsuccessful in processing the data. No error nor notification is provided.

Steps to reproduce

  1. Create an email redirection processed by the worker and print using the console.log (for example) event.to
  2. Enable email worker on email in the dashboard. e.g.: user@sld.email to process emails in the worker
  3. Execute the worker with an email with a 'plus' addressing field. e.g.: user+info@sld.email
  4. Email is not captured at all. And the worker didn't run.

Impact

The impact is high because you miss emails, even if they are addressed correctly.
All cases with event.to have been affected so far. There may be more cases.
The impact is to lose even valid emails in the Cloudflare system.
With the configuration: catch-all: none or drop; the valid emails are lost.

Environment

Please, set the catch-all to drop. And create a custom address recipient@cloudflare.com or test@cloudflare.com. Then those addresses should run the worker. On my end, I am facing issues with "plus" addresses, such as recipient+123@cloudflare.com; test+123@cloudflare.com.

Rationale

Certain important communications may be inadvertently excluded due to filtering processes, which can harm Cloudflare's operational efficiency. The perpetrator may attribute this to a spam filter, thereby influencing Cloudflare's business logic. By employing a catch-all address, the system may be vulnerable to DoS attacks or result in the loss of client funds.

Classification

CWE840: Business Logic Errors

Referrence

Originally posted in HackerOne #1988088

Result

Informative

Top comments (0)