Viewing the source of the email showed that they were all coming from http:// mcsaatchi-email-preview.s3.amazonaws.com/o2/...

What happens if we visit that domain?

Ah, the dreaded "The specified bucket does not exist" error. At some point the images were served from that domain but someone deleted the bucket.

This is a problem. Amazon doesn't reserve bucket names after they're abandoned. Which means digital miscreants can claim them.

Imagine if, say, Vodafone¹ registered that bucket name. All of a sudden they could inject their logos or adverts into their rival's billing emails.

An attacker could go further. They could replace the images with ones saying "Please note our bank details have changed, send BitCoin to...."

It gets worse. The emails contain a link to an external font.

An attacker could craft a font with specific ligatures which would replace the text of the email!

I quickly defensively registered the bucket on AWS and sent an email telling O2's security team about the problem. I suggested they update their future emails. Of course, that doesn't help all the emails which have been already been sent and are lingering in their customers' inboxes. So I offered to transfer the bucket name back.

I received an automated response saying they'd look in to it.

Lessons you should learn

You should be very wary about hosting your critical infrastructure on a sub-domain outside of your control. And you should never point directly to an S3 bucket if you can help it.

Ideally, O2 would have spun up a domain like images.billing-emails.o2.com, pointed it to S3, and used that in their emails. That way, if they decided not to continue using Amazon's services, all their existing billing emails would be unaffected.

If an attacker gets control of a domain used to show images in emails, the can directly target your customers.

Timeline

• 2023-01-26 Issue detected. Defensively registered. Email sent.
• 2023-02-21 Reminder email sent informing them that I'd be publishing this post.
• 2023-02-22 O2 said they were investigating and asked me to delete the bucket, which I did. They swiftly reclaimed the bucket and repopulated its content.
• 2023-02-27 Blog post automatically published.

No bug bounty, but O2 did raise my bill by 17.3%…

InMobi has sent me all over the world - South Africa, San Francisco, Romania, Barcelona, Bangalore, Cologne, and Bath!

It has been an amazing adventure, working with some incredibly talented people. I've been challenged and stretched, I've presented in front of hundreds of people, launched the first RCS-e enabled adverts, started up blogs, wikis, and forums, and - most importantly - helped developers make money from their apps.

It's been a very busy year-and-a-bit! So now it's time for a change! Come August, I'll be beavering away in O2's The Lab. I've been consistently impressed with the way Telefónica has been innovating - and the presentations from their geeks at events have been phenomenal.

I'll be working on new and interesting products which take advantage of Telefónica's network. No, I can't help you if your iPhone is broken.

No doubt it will be strange moving from a start-up to a behemoth. And it will be odd driving round the M25 rather than suffering South West Trains every day. But I'm looking forward to a brand new set of challenges, meeting new colleagues, working with old friends, and a chance to get my hands dirty!

As ever, this blog remains personal - but please adjust your bias filters appropriately.