Temp Mail leaves systems wide open


Temp Mail, a popular disposable email provider, left its systems publicly open for over three months, risking potential breaches and large-scale malware spread.

  • Temp Mail is a popular disposable email service provider with more than 10M app installations on Android alone.
  • A publicly accessible environment file (.env) exposed the company’s sensitive credentials.
  • Using leaked data, threat actors could’ve potentially accessed internal systems, manipulated or deleted crucial data, mimicked the company to spread malicious malware, and hijacked the official communication channel.
  • Cybernews contacted Temp Mail, and the company fixed the issue.

The Cybernews research team recently discovered a significant misconfiguration in the Temp Mail system, which exposed sensitive data.

ADVERTISEMENT

Temp Mail is a free disposable email service that allows users to receive email at a temporary address that self-destructs after a specific time period.

The disposable email service is a go-to choice for users who wish to evade spam and guard their email addresses against disclosure when registering on multiple websites, blogs, and forums.

The recently discovered misconfiguration potentially enabled malicious actors to access the internal systems of Temp Mail, manipulate sensitive data, spread malware on a massive scale, and target the platform’s users.

Temp Mail's Android app alone boasts over 10 million installations, highlighting the gravity of the situation. Cybernews reached out to the company, and it fixed the issue.

Access to internal systems

On April 29th, 2023, the Cybernews research team discovered a publicly accessible environment file (.env) belonging to Temp Mail. According to IoT search engines, the file had been open since Dec 30th, 2022.

The .env file revealed API keys for the company’s internal services. Our researchers can’t determine which internal services were left vulnerable, but the exposure of these keys is hazardous as it potentially allows malicious actors to enter the mail service’s internal systems and manipulate or delete critical information.

.env file
Leaked environment file. Image by Cybernews
ADVERTISEMENT

If malicious actors had exploited the API keys, it could’ve led to a wide range of privacy violations, including identity theft and accurately-crafted phishing attacks against Temp Mail users.

Among the leaked data, researchers also found secrets used in Amazon Web Services (AWS) authentication. The AWS cloud frequently serves as the critical backbone for companies in hosting digital infrastructures.

The repercussions of unauthorized access to AWS can result in service disruptions, data breaches, and potentially inflicting substantial financial losses due to fraud.

Another piece of sensitive information observed was Google Firebase credentials. Firebase comprises a comprehensive backend suite of cloud computing services and application development platforms offered by Google.

Unauthorized access to Firebase could lead to data manipulation, service disruptions, and severe privacy breaches.

Data leaked:

  • API keys for internal services
  • Android and iOS App Store issuer private keys
  • Google Firebase credentials
  • SendGrid API keys
  • AWS secrets

Possibility for large-scale malware spread

The environment file also exposed the private keys of Android and iOS App Store issuers. These keys serve as authentication measures, ensuring the authenticity of applications prior to their distribution on respective app stores.

If malicious actors managed to obtain these keys, they could exploit them to release harmful updates or even create entirely new applications that impersonate Temp Mail. Such actions would enable the widespread dissemination of malicious software, posing a significant threat to users on a large scale.

ADVERTISEMENT

Hijacking official communication channels

The discovered SendGrid API keys pose another significant risk. SendGrid is a cloud-based Simple Mail Transfer Protocol (SMTP) provider that allows the sending of emails without maintaining email servers and other email-related services.

The exposed keys might lead to the hijacking of the company’s communication channel. If malicious actors were able to exploit the keys, they could send spam, malicious emails, or conduct phishing attempts, causing severe damage to Temp Mail's reputation and potentially harming its users.

Staying safe

This data leak is another stark example of the importance of secure data handling and storage. In response to Cybernews, the company said that the leak was caused by one of their developers in the development environment. “We have removed it [.env file] from public access and will change the exposed security keys,” the company explained.

To mitigate the risks, Cybernews advises Temp Mail to investigate whether any unauthorized access or misuse of the data has occurred. Also, the company should inform its users about the incident and advise them to be on the lookout for potential phishing attempts or other malicious activities.

Routine security checks, strict adherence to security best practices, and the use of secret management systems are necessary measures to prevent such incidents in the future.