Horizon Alert
Summary of the vulnerability and why it matters
The Plunk email platform incorrectly accepts unauthenticated requests to its webhook endpoint, allowing anyone to forge Amazon SNS notifications. This could lead to unauthorized actions like manipulating contact lists or affecting delivery metrics.
- Can trigger workflow automations.
- May impact billing credits.
- Affects systems using the platform.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can exploit this flaw by sending forged Amazon SNS notification payloads to the `/webhooks/sns` endpoint. This allows them to trigger automations, manipulate contact lists, or alter email metrics without needing any credentials. The primary impact is on the integrity and availability of email-related operations.
- Targets public webhook endpoint.
- No authentication required.
- Forged SNS messages trigger actions.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability in Plunk's webhook endpoint presents a clear path for attackers to manipulate email delivery and billing. The lack of signature verification on incoming SNS notifications means any unauthenticated attacker can forge events, leading to potentially significant disruption and cost to the victim organization.
- Public exploit code is unlikely to emerge.
- No KEV listing or observed exploitation signals exist.
- The vulnerability impacts an internet-facing API.
Priority actions
Operational Fix
Recommended remediation, mitigation, and detection steps
Prioritize upgrading Plunk to version 0.9.0 or later to address the critical vulnerability allowing unauthenticated attackers to spoof SNS events. If immediate patching is not feasible, implement strict network ingress filtering for the `/webhooks/sns` endpoint to only allow traffic originating from Amazon SNS.
- Upgrade Plunk to 0.9.0.
- Filter `/webhooks/sns` traffic by source IP.
- Monitor webhook logs for suspicious activity.
