How I landed on my first bounty : No SPF / DMARC Record Found leading to Social Engineering Attack

Hey there. Today i will be sharing you about how i was able to earn a bounty of €250 for demonstrating how a user can be social engineered at www.lululemon.com. So let’s start.

I went through the bug-bounty program of lululemon, a European Web-store. I checked through its gateways, and found nothing to be present. So i went up. Eventually, I thought of finding logical bug and if possible escalating to next level (only if it was possible), so checked DMARC, DNS and SPF Record through these sites respectively :-

I found the webstore without SPF Record, and without DMARC Record. For knowing more about SPF, DMARC ad expired DNS Record, please visit here :

Now, as it doesn’t contain a proper or well-configured SPF/DMARC Record as well as no DNS configuration found, i tried to send email through fake mailer (a.k.a shwoing how a social engineering attack can take place) it with emkei.cz fake mailer. And this time, it happened. BINGO!!!!!!

I reported it with a valid POC, demonstrated about how it can be used using a video POC. They at first said it’s not qualifiable for P3 vulnerability, then again i showed and gave valid proofs with a new POC

TIP : Many a time they won’t “Triage” your report and tell it as P5. You don’t have to get mad or feel sad. Again send them a message about your finding and to what extent you can escalate vulnerability to. They will surely give the reply back with positive response.

After 4–5 days of intrusive search and inspection, they responded with the bounty of €250, and it came to me.

So, many said for this write-up, and i gave you all the easiest way possible. Hope it works for you. Thank you and keep rocking…!!!!! And just don’t stop.

Follow up my Instagram : fardeenchenzhen

/////////////////####Happy Hacking####\\\\\\\\\\\\\\\\\\\\\

Cybersecurity enthusiast, Hobyist Developer and a Life-Long learner