Use the email functionality as a phishing email sender

I am not sure if this is really a vulnerability. Only the paying users of Pipefy can send the E-Mails, i.e., Pipefy would know who it is and could penalise them.

In principle, E-Mail in on itself is an unsafe technology, anyone can write an E-mail to anyone impersonating anyone else without much problems, except for spam filters.

Hi Genietim.

It’s a vulnerability independent of the account is paid or not. From Cybersecurity perspectives the system must to control the functionalities that can be used unduly. As I said the platform can be used by an user (insider) even that the account can be verified and send a Phishing or a Spear Phishing using the Pipefy Platform.  
In these cases, Pipefy could be involved in the investigation and receive a penality to permit that this functionality can be used by anyone with control.

Regards.

Hi Ezequiel Souza,

I cannot agree yet. The E-Mails Pipefy sends pass through Sendgrid (AFAIK). Therefore, one could argue that Sendgrid is the one with the vulnerability, as it allows sending Spam. Yet, sending E-Mails is the whole business of Sendgrid – are you going to call their business a vulnerability?

Or did I still not understand what it is you are calling a vulnerability?

Hi Genietim

The vulnerability is everything that can be explored or used by to affect/impact another person, group or business.

Nowadays all features and functionalities must be protect against the bad usage. It’s a Security by design concept and cybersecurity good practices. 

If the Pipefy platform will be used as a way to do an attack, the authorities will charge Pipefy about that.

Feel free to check with the lawyers. 

Regards.

Hi Ezequiel Souza,

With this definition of vulnerability, every E-Mail program is one. A telephone is one. Every telecom firm is affected. Revolutionary!

How would you imagine to tackle this vulnerability, while allowing legitimate communication, other than using clever spam filters etc.?

Best regards,

Hi Genietim

You are thinking in spam, but I’m talking about Phishing and Spear Phishing. It’s means use the Pipefy platform as a way to promote an attack.

My suggestion is create a permission control (group/user) to permit use or not this feature. 

Regards.

Hi Ezequiel Souza,

Ah, I think I understand now what you mean. Thanks for the explanations!

Hi, team. Hope you're doing well and staying safe!

@Ezequiel Souza, thanks for the concern and the report 😊

The ability to send emails through Pipefy requires, at minimum, the "member" level of access in a pipe. If further control needs to be in place, you can further enhance it by allowing only assignees from the card to be able to edit/send emails. This configuration can be found within the "Pipe settings": 

In parallel, we have our Security form (pipefy.com/security) that allows people to inform us of any type of abuse in our features so that we can act promptly, in addition to having anti-abuse security automation using Machine Learning that acts directly in the prevention of these cases. 

I am sending an internal feedback, however, on the idea to unbind the email settings from the card settings. It would be awesome if these permissions were independent, right? 🤗 
 

We appreciate you taking the time to help us go further. Thank you again!

Great!!

Thank you!