Abuse-ception: How I Turned the Abuse Report Feature Into a Mass Email Spammer
1 min read
Summary
An ethical hacker known as iski explains how they stumbled upon a bug that turned the abuse report feature of a mass email sender into a tool that could be used for mass emailing.
They had been poking around a random SaaS app’s abuse reporting feature, sleeping-deprived on a Monday morning, when they came across the endpoint “/api/v1/report-abuse”.
By sending a GET request to this endpoint, a list of users’ email addresses that had submitted abuse reports was returned, and the hacker had the idea to attempt to send a POST request to this endpoint with a comprehensible list of recipient email addresses.
To their surprise, they were successfully able to mass email all of the recipients, and the company was paying a bounty for any vulnerability that resulted in mass emailing users without permission.
The hacker coined the term “abuse-ception” due to the unexpected irony of abusing the very system designed to prevent abuse.