Confused Deputy Vulnerability in Cloudflare CASB
On April 18, 2023, I discovered a vulnerability in Cloudflare CASB that enabled me to view sensitive information about other customers’ Microsoft and GitHub organizations. This included employee names/emails, links to SharePoint files, repository names/descriptions and more. View the report on HackerOne. What is Cloudflare CASB? I think I have to quickly explain Cloudflare CASB for the rest of the write-up to make any sense, but feel free to skip to the next part if you already know what a Cloud Access Security Broker is and how it works....
Hijacking email with Cloudflare Email Routing
On Tuesday, December 7th 2021 I discovered a critical vulnerability in Cloudflare’s Email Routing service. This vulnerabilty enabled anyone to modify the routing configuration of any domain using the service. A bad actor could have overwritten the destination address to their own email address in order to read any email sent to the victim’s domain. The bug has since been fixed and Cloudflare has kindly allowed me to publish this write-up....