@wearehackerone.com is vulnerable to namespace attacks due to hackerone.com not being RFC2142 compliant.

Hola amigos, First off, I know RFCs are annoying. Second of all, namespace attacks are a b*tch. With that out of the way, here is an Inti-bug that was discovered as a result of reading RFC2142 very carefully. ## Brief summary of RFC2142 RFC2142 defines a standard set of email addresses that cover certain roles and functions. For example, you might be familiar with the `security@` address. This was originally defined in section 4 of RFC2142: https://tools.ietf.org/html/rfc2142#section-4. ``` MAILBOX AREA USAGE ----------- ---------------- --------------------------- ABUSE Customer Relations Inappropriate public behaviour NOC Network Operations Network infrastructure SECURITY Network Security Security bulletins or queries ``` ## Ze Bug The way the new `@wearehackerone.com` email forwarding system works, is that an address is allocated for your HackerOne account based on your username (`<your-h1-handle>@wearehackerone.com`). So hackerone.com/foobar turns into `[email protected]`. With this in mind, I decided to enumerate all the various email addresses defined in RFC2142 and determine which ones can be registered ultimately resulting in me controlling what should be a reserved email address. In some cases you do actually prevent people from claiming the handle, such as with `postmaster`. ███ Unfortunately though, after a bit of probing I noticed that not all RFC2142 addresses were blocked. I am now the proud owner of [email protected]. Please feel free to shoot me an email and I will respond back to demonstrate that this address is under my control. ## How to fix this issue In order to fix this issue, I advise you to add the following usernames to your exclusion list so that one cannot hijack these important email addresses. ``` abuse admin administrator hostmaster info is it list list-request majordomo marketing mis news postmaster root sales security ssl-admin ssladmin ssladministrator sslwebmaster support sysadmin trouble usenet uucp webmaster ``` Have fun fixing this issue and feel free to email me at [email protected] if you are having any trouble reproducing this issue. ;) \- @thefrog ## Impact In some cases, these reserved addresses are used to generate SSL certificates since CAs assume that these are all trusted addresses.