Timo Tijhof

Timo Longin @login introduces SMTP smuggling, a novel technique to spoof fully SPF-validated emails from various popular domains including @microsoft.com.

Wow. It's incredible nobody found this before. It's the first of its kind. Probably not the last...!

https://youtu.be/V8KPV96g1To

Related:
https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide
https://www.postfix.org/smtp-smuggling.html
https://www.malwarebytes.com/blog/news/2024/01/explained-smtp-smuggling

#SmtpSmuggling #37C3 #SMTP #vulnerability #infosec #TimoLongin #security

37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide

YouTube
Feb 19, 2024 at 9:14pmWeb
Show threadTimo TijhofFeb 19, 2024

SMTP smuggling feels similar to HTTP smuggling, but differs in impact.

SMTP smuggling sends a legitimate email to an unsuspecting receiver. It ends up in someone's inbox, at another provider.

HTTP request smuggling is not always visible to other users, and can (depending on the web app) be limited to one backend cluster and the attacker's own requests, i.e. to steal/manipulate private data.

There are multiple HTTP smuggling vulns by now.

A recent one from DEFCON 27:

https://youtu.be/w-eJM2Pc0KI

albinowax - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference

YouTube
Show threadJosé AlbornozFeb 19, 2024
@krinkle it’s crazy isn’t it?