Security News > 2022 > August > Student crashes Cloudflare beta party, redirects email, bags a bug bounty

A Danish ethical hacker was able to work his way uninvited into a closed Cloudflare beta and found a vulnerability that could have been exploited by a cybercriminal to hijack and steal someone else's email.

Student Albert Pedersen reported the critical vulnerability to Cloudflare via the company's bug bounty program, and was awarded $3,000.

According to a timeline on HackerOne, which manages the bounty program, Cloudflare fixed the flaw within a few days.

"I assumed either the Cloudflare API would do a server-side check and throw an error telling me to verify the zone, or my rogue configuration simply would not take effect," he told The Register in an email interview.

Cloudflare said in a statement to The Register that after the vulnerability was reported, it resolved the issue and verified that the flaw had not been exploited.

Pedersen on his LinkedIn profile describes himself as a "Cloudflare enthusiast." He told The Register he is a Cloudflare Community MVP, which he said is a program volunteer member who makes significant contributions to the community forum and answers other users' questions.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/04/cloudflare_email_beta_bug/