The Naked theme when selected is a rough approximation - click Apply to get the Real Deal.

fyr.io

Backblaze Account Takeover

Posted on

Sometimes, you find a way to abuse a system and you don't get a bounty payout. Such is life! This is what happened here, but... It is a bit different to the usual tale from the world of infosec, because I didn't technically exploit anything, yet still managed to perform account takeovers on well known backup provider Backblaze, including "accidentally" taking over a legitimate customer account (which contained live, real world data). I merely abused a somewhat poorly constructed sentence in the official documentation (which happened to contain a compliant and unregistered domain.) I... Guess it's exploiting the interpretation of the English language?

Backblaze won't pay out a bounty if you publicly disclose, but as this is seemingly not worth a payout anyway and has been fixed for a few months now, what's the harm in publishing, eh?

Back in April & May 2025 I was trialing Backblaze for a data project at work and it went really well. The costs were low, the tech worked perfectly. It's a great service & product, and I knew it was the right tool for the job. I had mucked around with it a fair amount, using an account associated to my work email address, but I wanted to start a fresh account for the Production version of the data project.

Thankfully, Backblaze has a documented method (<- archive.org link) to change the email address associated to your account. Line 4 under the aforementioned "Remove an Email Address from a Previous Account or Trial" is the important one:

Enter your current password, and enter and confirm a new email address that looks like this: xxx8xx8@x87xx.xxx.

Upon reading this, my initial interpretation was to recoil, eyebrow arched, and question it - it wants me to change my accounts' email address to xx87xx8x@x87xx.xxx specifically? That's... Odd, right?

I pondered it a bit...

Maybe they have some logic in the process that picks up that exact string of characters and black-holes the account or treats it differently? In fact, that seems like a strange and oddly specific string to use, why wouldn't they just use a non-RFC5322 string instead of a valid-looking email address and pluck it out prior to the validation rule triggering? Wait... What if they don't do any of that and they've just poorly worded that line in the docs?

At this point, I reconsidered the line in the documentation. I could also interpret it to mean "change the email address to something like this but not this exactly".

But if I - a native English speaker - had interpreted it on first read as it wanting me to use that funky x-laden email address specifically, others would too. So I did the only thing I could do - I hopped onto a registrar and checked to see if the domain used in the specified email address was available (as is habit for many infosec oriented people I'm sure) and to my surprise, it was available!

Now, I took a moment here. This wasn't a boring old .com - it is a .xxx domain. They're not the cheapest domains to rent! To be fair they're also not overly expensive either, if you're not trying to register a premium domain - a common word prior to the .tld - which xx87xx isn't of course... but money is kinda tight. I considered whether I wanted to pursue this for a while, a few weeks at least.

Eventually I decided to use a chunk of money from my personal monthly "treats" pot and go ahead and register it. A sacrifice of a fewer shop-bought drinks and treats for a while, on a hunch. But a fun hunch!

A primer on .xxx domains

.xxx domains, launched in 2011, are for... well, porn stuff. If you host a porn site, you don't need to use a .xxx (or similar) domain but it is a recommendation, to ease filtering pretty much. Obviously it's pretty useless if it's not a hard requirement, but when there's money to be made who cares about logic?

Unbeknownst to me at the time of forking over £60, .xxx domains are controlled by ICMRegistry, which appears to quietly be... GoDaddy. You can register the domain itself easily enough, via your nearest high quality registrar, but in order to actually configure records for one of these domains, you need to evidence that you're a member of the pornography business.

Yep.

So I had to send proof of my participation in the porn industry to GoDaddy via ICMRegistry.biz, a totally not sus domain. Once they've verified you are in fact a porn star (or otherwise work in the industry) you'll get a membership token, which can be used in the registrar to unlock the domain, at which point you can use it like any other domain (as long as you follow their rules of course.)

So it is clear to any readers here: no, I am not a participant in the porn industry. I've never been in it, directed it, done CGI, fluffing, fetching drinks, cleaning... But we won't let that stop us, will we?

I registered, because of course I did, and submitted a bare-bones application. But I heard nothing back.

Those of you who have been involved in web stuff for a while will know that GoDaddy are renown for being ...let's charitably say... disorganised. So after waiting a bit to hear back, I started pestering. Eventually, someone must've gotten fed up of me and let my application slip through, as one random evening I got confirmation emails and my membership token without any feedback on my pleas for help. So I guess as of 22nd May 2025 my membership of the porn industry is verfied and as a result I find myself with a working .xxx domain! Yay?

So I've now got a working .xxx domain, which I of course immediately hooked up to my Proton email account so it can receive emails sent to my shiny new x87xx.xxx domain, and began on the next phase of the plan!

After checking that the documentation hadn't been updated and still said the same thing (it did) I decided to test the process by creating an account and going through the steps as documented. I opened Backblaze, logged into my account, initiated the account email address transfer process (sending the account over to "xx87xx8x@x87xx.xxx"), and... Blocked. Account already in use.

Crap.

No, wait, not just 'crap' - Holy crap!

(This gets a little convoluted. Hopefully it can be followed along easily!)

I went back to the backblaze login page and went through the 'forgotten password' process, entering the email address from the documentation (again, xx87xx8x@x87xx.xxx) and... Ping! I get an email from Backblaze on my freshly minted email alias. Within this email is a link to reset my account password!

I follow the password reset process and can then log in. At some point in the past, someone has indeed already followed this document, (mis)interpreted the process and transferred the account to this email address.

However... This isn't the legitimate customer account I mentioned earlier. That comes later.

I'm buzzing. I'm logged into someone's account - it's empty of all data and details, but it's there. I need to test this properly, so I go back through the account email address transfer process and change this newly acquired account email address to [somethingRandom]@x87xx.xxx - that way I can retain access to the account (as I was using a catch-all on Proton - [anythingHere]@x87xx.xxx will come into my mailbox) and free up the email address to try transferring another account which is under my control to determine what the procedure is exactly.

Next, I log out, then back in to my original test account from earlier and try to transfer it again. It flies through the process. No email confirmation required, it just changes the owner of the account straight over to the .xxx email address.

I run a few tests on some other accounts, write this up as a "I don't know how to classify this but I can kinda take over customer accounts if they follow your documentation?" bug report on the bugcrowd for Backblaze and feel great that my hunch paid off.

Bugcrowd close the issue.

The first reason it's closed is because this issue relies on an attacker purchasing a domain, as if that's onerous for an attacker to do. Also, it's not in scope, they say, as it's on the documentation site, not the base domain. I clarify that the issue isn't on the documentation site but as a result of the content on it and ask for the documentation to be updated anyway, but nope. The triage process has blocked this and -1'd me to boot. Bugcrowd has shot me down.

Ah well. I know it's legit. It works. So what better way to prove it than to wait for a customer to follow this guide and send me their account?

The SpongeBob SquarePants 'time has passed' frame. A purple background with yellow writing, which reads 'seven months later'

I'm tapping away at my keyboard at work in January and my phone dings - my Backblaze account has been transferred.

After a couple of underwear-browning seconds my eyes widen in realisation - Hold up, it's an email that landed in my .xxx domains email inbox! I take a closer look and, sure enough, some [randomUser]@gmail.com has seemingly followed the documentation and transferred their account to xx87xx8x@x87xx.xxx!

I finish the days work, head home and get online. Step one, account password reset, which works, so I log in to it. Sure enough, someone has initiated this to the documented email address and as a result has given me access to their Backblaze account. This legit, paying customer account includes two computer backups with current, very recent data. It's live data, uploaded moments ago.

Now, that bit right here that I've just done? Morally questionable at best. I've just obtained access to an active, paying customer account, and I've taken things a step further than is generally acceptable to me and the community by resetting their account password and verifying it is accessible.

As their computer still backs up to this account, I immediately get another bugcrowd ticket logged with a plea to reconsider the validity of this as... not a bug per se, but a problem for sure. I don't touch the account beyond my initial logging in and seeing the data shown on the dashboard, I don't download anything or navigate anywhere in the interface. I log out after taking a screenshot, and fire off my plea. I know, trust me, bro, but I really didn't. Backblaze will log all of that.

Backblaze helpfully includes the accounts originating email address in the transfer notification email, so I send the owner an email from my personal (fyr.io) email account clarifying the situation. Their account has come to me, I won't touch it, I've emailed Backblaze and am trying to get them to sort it. I don't hear back.

I did strongly consider transferring the account back via the same process, and perhaps on reflection I should have done this, however I didn't want to touch anything on the account at all so opted to let Bugcrowd and Backblaze handle it themselves. They (Bugcrowd) have been notified that I have someone else's account now, so they'll be interested in getting this resolved quickly.

Or not? Bugcrowd strikes again.

They reject this second attempt at communicating a problem. I have been advised to email Backblaze' documentation provider, Document360, as the issue is, they claim, on the documentation site (it isn't) so I go through the motions. They quickly reply, of course stating that the issue isn't on the documentation site (see, it isn't!) and to email Backblaze directly as they're the ones that write the documentation.

So I go looking for someone to poke about this account transfer at Backblaze directly. Yes it may not be a typical hack or an exploit but it is a real problem. I just want the docs to be fixed, darn it! I find their web based chat and consider my efforts to be coming to a conclusion now that I get to explain to an actual human over chat wha-oh, wait, nevermind. I forgot it's the age of slop. Instead of a human I have to chat to their LLM bot (yay.) which asks me to email Backblaze's 'report phishing' email account. Seems... irrelevant, but okay, I guess I can see how it might help and it actually has a chance of crossing over to the right person. I email them. They reply saying it's nothing to do with them, and to go through their bug reporting page (bugcrowd) so that's a dead end right there. Whilst waiting on the phishing email address reply, I've logged a support ticket on the Backblaze Zendesk portal.

Whilst waiting for a response I have also written another update on the bugcrowd ticket. Which, of course, sits ignored.

Then, I hear back from a support person. Not just any support person, but a support person who actually takes the time to look into the issue. I believe they understood what I was getting at after a bit of back and forth and escalated the issue, as the next day the ticket on bugcrowd has a burst of activity, it's rated a p4, then a p5 straight after (informational, therefore not deemed worthy of a reward, booooo!) and then marked as resolved.

The documentation page (<- the actual documentation page) is updated, removing the whole section containing the .xxx email address.

13 days after the bug is marked resolved, the account that was accidentally transferred to me in January is finally transferred away (I assume back to the original owner?) and I can relax now I don't have potential access to this strangers data anymore.

So in the end I'm left with yet another bad bugcrowd experience, a .xxx domain (which I guess I could claim proves I'm in the porno industry now?) and I'm £60 worse off for it. But hey, the issue is fixed and someone has their data back, so in the end a net positive.

What am I gonna do with a nonsense .xxx domain?