Skip to main content

Message flooding

Description

It is possible to send mass messages to the phones numbers and emails of the victims, causing saturation of the inbox and consuming resources of the user.

Impact

  • Flood the inbox of the victim.
  • Increase abruptly the consumed resources of the device.
  • Hide important information from other messages.
  • Facilitate other attacks like phishing.

Recommendation

Restrict the consecutive sending of messages through mechanisms such as time delays or controls over the amount of messages sent

Threat

External attacker with access to the code.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Accordign to business needs, the email delivery configuration sets a minimun time-delay to avoid overflooding

email_delivery:
delivery_method: :smtp
smtp_settings:
enable_starttls_auto: true
address: "address"
port: 587
domain: "promotions_domain"
authentication: :plain
user_name: "appadmin"
time_delay: 24h

Non compliant code

The email delivery configuration does not set a time-delay limit

email_delivery:
delivery_method: :smtp
smtp_settings:
enable_starttls_auto: true
address: "address"
port: 587
domain: "yourdomain"
authentication: :plain
user_name: "appadmin"

Requirements