€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!
Bug Bounty email hack Responsible Disclosure security · 1 comment · 450 words · read ~635 times.
There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system.
The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti.
I signed up to Intigriti, and instantly received a confirmation email. 
Can you guess where you go if you click the big "Activate Account" button? 
I think that's the first time I've ever seen a .lu domain in the wild. Hardly surprising as there's fewer than 90,000 of them.
This looks like a phishing URl. It doesn't use https, it's a random string of gibberish characters, and an obscure domain.
It is happens, the site is legitimate. MailJet - an email marketing firm - use it as a redirector. I assume that Intigriti use them as a mailing service, and want to track every single click you make on their emails.
Why are their statistics more important than your privacy and security?
Why is this bad?
Links to http sites are not secure. That means your visit to that URl can be seen by your ISP and anyone else between you and your destination.
A user clicking on that insecure URl risks having their request intercepted. While an attacker can't log in using the data they've captured, they would be able to redirect the user and phish their details.
Why use a 3rd party?
Basically, if Mailjet gets hacked, or goes rogue, they can start phishing all of Intigriti's customers.
Thankfully, Intigriti had the good sense to not use this tracking on their password reset emails. Indeed, I must commend them on their general security, and their swift responsiveness to this minor security issue.
This isn't the hack of the century - this is low-hanging fruit. I've reported identical issues to CloudFlare, Udacity, and several others.
PLEASE STOP TRACKING EVERY LINK IN YOUR EMAILS!
Or, if you really have to - make sure your tracking server supports https, is controlled by you, and doesn't have a daft domain name.
Timeline
- 2018-12-31 - responsibly disclosed.
- A few hours later - confirmed fixed and bounty offered. Filled in my IBAN details.
- 2019-01-02 - £90 deposited in my account.
- 2019-01-04 - permission given to publish.
I once had to convince a marketing department not to track a certain link in an email because it was literally breaking our reset-password process. For some reason, the "#" in our URL was munged in a way that Safari didn't like, which lead users to a 404 page. Happily, our email service gave us an easy way to not track a particular link in an email. 30 second fix.
It took weeks to talk them into not tracking an email reset link. They kept suggesting tech solutions that they saw as reasonable, forcing me to point out why X wasn't actually that reasonable. I finally got the okay to remove it when it was pointed out that we were onboarding a huge number of customers, and that email was the way they were going to log onto the system.
Freaking marketing. I swear...