How I landed on my first bounty : No SPF / DMARC Record Found leading to Social Engineering Attack
Hey there. Today i will be sharing you about how i was able to earn a bounty of €250 for demonstrating how a user can be social engineered at www.lululemon.com. So let’s start.
I went through the bug-bounty program of lululemon, a European Web-store. I checked through its gateways, and found nothing to be present. So i went up. Eventually, I thought of finding logical bug and if possible escalating to next level (only if it was possible), so checked DMARC, DNS and SPF Record through these sites respectively :-
MX Lookup Tool - Check your DNS MX Records online - MxToolbox
SPF Query Tool
These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library…
I found the webstore without SPF Record, and without DMARC Record. For knowing more about SPF, DMARC ad expired DNS Record, please visit here :
In our last post, Understanding Spam in the New SmarterMail, we mentioned some of the changes to the antispam settings…
Now, as it doesn’t contain a proper or well-configured SPF/DMARC Record as well as no DNS configuration found, i tried to send email through fake mailer (a.k.a shwoing how a social engineering attack can take place) it with emkei.cz fake mailer. And this time, it happened. BINGO!!!!!!
I reported it with a valid POC, demonstrated about how it can be used using a video POC. They at first said it’s not qualifiable for P3 vulnerability, then again i showed and gave valid proofs with a new POC
TIP : Many a time they won’t “Triage” your report and tell it as P5. You don’t have to get mad or feel sad. Again send them a message about your finding and to what extent you can escalate vulnerability to. They will surely give the reply back with positive response.
After 4–5 days of intrusive search and inspection, they responded with the bounty of €250, and it came to me.
So, many said for this write-up, and i gave you all the easiest way possible. Hope it works for you. Thank you and keep rocking…!!!!! And just don’t stop.