Bug Report: Email Spoofing Vulnerability found in assets - [SafeExamBrowser]

[priyanshukumar397]

Description

Issue:
Reporting a security vulnerability in [SafeExamBrowser] Asset

Date:
05-10-24

Summary:
Email spoofing vulnerability due to missing DMARC policy on safeexambrowser.org

Description:
The domain safeexambrowser.org lacks a DMARC policy and does not have a Quarantine/Reject policy enabled. This allows unauthorized emails to appear as if they are from safeexambrowser.org increasing the risk of phishing and compromising domain integrity.

Cause:

• DMARC policy not configured.
• No Quarantine/Reject policy in place.

Impact:

• Risk of phishing attacks.
• Potential damage to domain reputation.

Proof of Concept for the Vulnerability:

Recommended Fix:

• Enable DMARC Policy: For domain mentioned above.
• Set Policy to Quarantine/Reject: Ensure that emails failing DMARC checks are handled appropriately

Priority:
Medium

Thanks

[priyanshukumar397]

[priyanshukumar397]

Any updates yet?

[danschlet]

No, we don't have dedicated staff to deal with website issues and have very much to do with issues in the software itself. We will look into this as time permits.

[priyanshukumar397]

Thanks for your response @danschlet sir, however, kindly confirm if you accept this as a valid bug for a fix.

Also, if you need more folks to join SEB, kindly let me know if I can join the team for testing part including other assets of SEB including itself, as currently I am working on various browser bypasses for various assessments and checks, would be happy to join.

[priyanshukumar397]

any updates on this request?

Thanks for your response @danschlet sir, however, kindly confirm if you accept this as a valid bug for a fix.

Also, if you need more folks to join SEB, kindly let me know if I can join the team for testing part including other assets of SEB including itself, as currently I am working on various browser bypasses for various assessments and checks, would be happy to join.