Comment by tryauuum

4 months ago

if someone's reading this thread: yes, apple does have dmarc / spf

    $ dig id.apple.com TXT +short
    "v=spf1 include:_spf-txn.apple.com include:_spf-mkt.apple.com include:_spf.apple.com include:icloud.com ~all"
    $ dig _dmarc.id.apple.com TXT +short
    "v=DMARC1; p=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"

5 comments

tryauuum

Reply
teddyh  4 months ago

They also seem to have DKIM. To find out, first we need an authoritative name server for id.apple.com:

  $ dig +short id.apple.com NS
  ns1-235.akam.net.
  ns1-45.akam.net.
  asia3.akam.net.
  asia2.akam.net.
  eur5.akam.net.
  usw2.akam.net.
  usw6.akam.net.
  use1.akam.net.

We pick an arbitrary nameserver and see if the _domainkey subdomain gives NXDOMAIN or NORERROR:

  $ dig +noall +comments +norecurse @ns1-235.akam.net _domainkey.id.apple.com TXT | grep HEADER
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12521

Good, it gives NOERROR, which indicates the existence of subdomains. Just to be sure, we check some other arbitrary non-existing subdomain, to see if it gives NXDOMAIN as it should:

  $ dig +noall +comments +norecurse @ns1-235.akam.net zojglgrcqk.id.apple.com TXT | grep HEADER
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5653

Since it gives the expected NXDOMAIN, this strongly indicates that there are DNS records present on subdomains of “_domainkey.id.apple.com”; i.e. DKIM keys.

(Of course, if you have ever recieved e-mail from an address @id.apple.com, you would see the selector name in the DKIM signature header, and could look up the corresponding DKIM record directly. The above method is for when you don’t have access to that.)

hmottestad  4 months ago

And it’s still out of scope for the HackerOne bug bounty program.

  • dns_snek  4 months ago

    Future hackers, take note. If vulnerabilities you discover have any chance of being misinterpreted as "out of scope" by some bureaucrat at HackerOne, even though they're obviously applicable and dangerous, sell them on the market instead.

  • hmottestad  4 months ago

    Got a -1 on this comment. Must mean that I’m wrong and that it’s become part of the scope now!

    Maybe someone wants to post a link?

    • tryauuum  4 months ago

      maybe because the issue is not about apple's dns records, so the vulnerability is in scope. One could argue the issue is in zendesk's feature of adding people with an email.