Vulnerability to email delivery manipulation by Mailgun

[dglittle]

Mailgun is depended upon for email (and therefore authkey) delivery.

They could change the authkey to an arbitrary value, deny access to the email, and/or vote using the authkey link themselves

Denial could be selective & targeted – Mailgun could just refuse to deliver the email to users that identified w/ particular political positions

Note that this also includes the entire email ecosystem as well – all of the users’ mail hosting companies (e.g their university, or gmail), MTAs that are used in transit for spam protection, etc. This is a really really strong (read: huge) trust assumption.

[...]

The goal is not to cast aspersions on the vendor, but to point out that the system is fundamentally trusting them in a way that might not be safe in the case of nation-state level adversaries.

Originally posted by @mspecter in #195

[arianabuilds]

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $113.38 from SIV and $178.60 from the Public Vote, for a total of $291.98.

Here's what we noted in our evaluation:

What's interesting about this submission

• Huge blast radius if exploited.
• Accurately adds context that this is especially relevant when adversary has nation-state resources
• Accurately points out that it's not just our email provider at risk, but also all the receivers.

What takes away from it

• Email is much less relevant for public elections, because election admins are recommended to invite via postal mail.
• Relatively clear path how to bring the transactional sending infrastructure in-house. (Just a big lift, thus why we started with the outsourced option).
• Seems almost certainly detectable via auditing.
• If caught, relatively easily remediated.
• Would destroy provider's business if caught.
• If a public election and proven, could easily entail serious jail time.

Issue to track getting paid: siv-org/hack.siv.org#11