CVE-2021-30216: Vulnerability Disclosure -Business Logic : Allowing to send emails for expired/transferred hosts

Status: Open (As on 08-Aug-2021)

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N = 5.7 (Medium Severity)

Impacted Component: GMail, Yahoo Mail, Zoho Mail, vtiger and many others (web mail & corresponding Android-iOS Mobile apps)

Vulnerability Description: It was observed that sending of email is allowed for an expired domain / employee who no longer have email account access because of service termination (upon having account associated earlier with Gmail/zoho mail) Or even sending mails on behalf of readonly mailing groups . If from previous mail conversation, victim receipient has added in trusted list/contacts, SPAM filters will never flag such email suspicious.

Imagine Alice owned domain.com and is using [email protected] via Gmail/Zoho mail service.
One day the domain got expired and Alice couldn’t renew it. Still Alice will be able to send mails from [email protected] using Gmail/zoho mail servers.

Impact rational: If domain is expired, Alice should no more have right to send mail (although SMTP mails can be spoofed, but sender IP helps SPAM filters. However, in current exploitation technique SPAM filters would fail). Further in future if Bob bought domain.com, Alice would be able to send mails despite Bob owns it now. (And users may not believe if it was sent by Alice). It can also happen that for an employee who left the organization, still may be able to send mail using that pre-configured email id (which the employee no longer has access to now officially) via Gmail/Zoho mail servers . Using this it is also possible to send mails on behalf of readonly groups.

P.S.: So next time if you receive any mail even from legitimate looking domain, you would have to think 10times.