The Low Down [TL;DR]: How I Found Myself in the Middle of a ‘Welcome Email’ Gone Rogue

You know that thrill you get when you stumble upon something unexpected? That’s exactly what happened when I was poking around Ring’s public Bug Bounty program. After some recon I found a pretty interesting subdomain. This subdomain allowed users to signup for an account, so I decided to poke around the signup process. What was supposed to be a routine day of testing turned into uncovering a neat little HTML Injection vulnerability. Picture this: an attacker injecting their code into a friendly “Welcome Email” tricking users into clicking on fake links. Not exactly the warm welcome you'd expect, right?

Before I jump into the technical bits (don't worry, I'll keep it clear!), here’s the fun part: this bug, although low severity, opened the door for phishing attacks and brand impersonation and anything imaginable with HTML Injection. It’s always those sneaky, unassuming bugs that catch you off guard! Ready to dive deeper? Let's break down how it all went down.

The Vulnerability

During my recon process with Ring’s program I found an interesting subdomain that allowed users to signup. Whenever I see a signup form I always like to poke around. During the exploration of this endpoints user registration flow, I discovered a stored HTML injection vulnerability within the Welcome Email. Specifically, the registration form failed to sanitize user input in the username field, allowing malicious HTML code to be injected. This code would later be executed in the Welcome Email sent from [email protected].

The risk? Any malicious actor could leverage this vulnerability to modify the email’s content, potentially launching phishing attacks, defacing the message, or impersonating Ring's official communications. This posed a risk as the email was coming from an official *.ring.com domain and would appear more official/legit than one coming from a non ring.com subdomain.

Getting Crafty

Being able to edit the contents of an email can typically cause impact to go up with HTML Injection vulnerabilities as their severity isn’t typically triaged as being very high. Typically, in my experience, a lot of them are marked as low severity or sometimes even informative. But at the end of the day it’s all about the impact you can create with the bug, so get creative!

One flaw of this signup page that allowed me to craft a really clever password reset email that would allow me to steal a ring user’s account credentials was the lack of a character limit on the input fields. This combined with the non-sanitization of the user input allowed me to input as much HTML code that I wanted. The signup “Welcome Email” contained hardcoded text prior to where the vulnerable user name input was reflected. So with this in mind I spammed a bunch of <br> “Breaks” in HTML to put that hardcoded text to waaaaay at the bottom of the email the victim would receive.

The funny thing about this bug too is that the subdomain application account’s that we were allowed to signup with, weren’t related to the main Ring application. Meaning, we could figure out the email of our victim’s Ring account with social engineering and then signup as the user on this vulnerable subdomain prompting this malicious email to be sent to our Ring.com victim to steal their account. That’s just one attack scenario for you.

Final Thoughts

After submitting the report, the issue was flagged as a duplicate, meaning another researcher had previously reported it. This was very sad as this was my very first report to a Bug Bounty program and I was so confident this would’ve been my first payout. While my submission wasn’t eligible for a reward, it was still a valuable learning experience. Sometimes, the timing isn’t perfect, but that doesn’t take away from the significance of uncovering a real-world security vulnerability. This motivated me and also proved to be bit of assurance that I can too find valid bugs on real world programs such as Ring.com!!

I never thought I would’ve found a valid bug on any program let alone a program as big as Ring.com. This was a year ago that this happened and the progress I have made since that time is immense! This goes to show that if you’re willing to continue working on your craft, you're only destined to end up where you’re supposed to be. Duplicates will always remain to be a helpful reminder that I am on the right track and to not give up on myself. Now if you’re duping every time you report a bug, your methodology likely needs some personalization or the program you’re hunting on is too saturated.

I hope this post was helpful and/or entertaining! As always, thanks for reading and have a great week/day/night/morning/month/year. 😎🤘 

Want to follow my bug bounty adventures? Catch me on Twitter @actuallyclover!

Resources:

- https://hackerone.com/ring

- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection#:~:text=Summary-,HTML%20injection,-is%20a%20type