Inflection: Fake mailing reports using mail service on [URL : mail-txn.identity.com]

2017-10-19T23:50:48
ID H1:280803
Type hackerone
Reporter namansahore
Modified 2017-10-25T19:30:46

Description

Researcher discovered an unused subdomain that served as an alias for Mandrill's third-party transactional email service. Mandrill's relay server could be used to send bounceback/failed delivery messages to an arbitrary "sender", although the contents of the message itself are limited to Mandrill's pre-set bounceback template. As the vulnerability is not in a service that we operate, we removed the unused subdomain.