Snapchat: Incoming email hijacking on

ID H1:168476
Type hackerone
Reporter rubyroobs
Modified 2016-09-23T22:53:53


Hey guys!

Really interesting find here.


These dangling MX records on have allowed me to purchase an email account with GoDaddy (owner of these servers) and send/receive email from an account on this domain. 3599 IN MX 0 3599 IN MX 10


As I now "own" this email URL on GoDaddy, in theory you can't register another email address yourself. To prove that I've taken it over, feel free to email me on and I'll be able to paste the message I receive into here to prove ownership of it.


Delete these DNS records to avoid mail being hijacked on this domain.


I believe impact of hijacking incoming emails on this address far outweighs the smaller consequences of missing SPF records. This would allow me to setup accounts on this email and in some cases allow me to prove control of the domain or impersonation of Snapchat staff.

Been super fun investigating this - not my typical find honestly :D. Let me know if you need any help triaging!

Cheers, @rubyroobs