Feature, not a bug. Or how Rambler allows to replace the sender of the letter

Good day. My name is Aleksey. I am engaged in writing bots and reverse Android applications with the search for vulnerabilities in them.

The Rambler / Mail for Android app fell into my hands. The goal was to automate the sending of mail using the mobile application API. The emulator MEmu and Charles was launched, however SSL refused to show its requests. In the course went reverse. Changes were made to the smali_classes2 \ okhttp3 \ OkHttpClient.smali file in order to remove encryption.

Further, a search was started for queries responsible for authorization and sending messages. I was surprised that the authors of the application, while at their level, are in no way trying to protect themselves with at least the simplest signatures. Login request looks normal. But the request for sending is extremely curious.
')

action=send¶ms={"to":{"hrthrtjrt12@mail.ru":"hrthrtjrt12@mail.ru"},"body":"<div><br><\/div>erherh<br>---<br>.","is_html":"1","subject":"ergerg","action":"send","bcc":{},"from":{"eherhregerg@rambler.ru":""},"uploads":[],"cc":{}} 

We are interested in the from parameter. Instead, you can substitute absolutely any email address from Rambler. Here is what comes on Yandex:



Fortunately, Mail.ru and Yandex have such a function as “Service Headers” and in them we will see:

Delivered-To: hrthrtjrt12@mail.ru
Return-path: <eherhregerg@rambler.ru>


Yes. Technically, we see the real sender, but for the average user it is hidden and can become a phishing tool.

Further more. 1 account was managed to be banned from other accounts simply by adding its address in the from field when sending, letters did not come from it. However, if you send any other soap in the From field when sending from this “banned” account, the letters will go. Thus, we understand that Rambler considers the sender of the user from the from field, and not the real one.

At the moment, technical support for Rambler has already been notified of the vulnerability. However, they do not consider it as such. I quote:



Similar attempts to substitute and mobile applications Yandex and Mail.ru did not work. Fortunately, these companies are not so "creative." In their mobile applications, there are also vulnerabilities, but more on that in the next article. We must first notify the developers.

This article is an attempt to rectify the situation and still recognize it as a bug. Thank you for attention.