An Unexpected Bounty — Email Bounce Issues

Keshav Malik
Feb 5 · 2 min read

Hello Everyone ! Here’s is my write-up regarding a bug that you would have never heard before.

Meanwhile recon, I found that there was a functionality in the Application I was testing on to send invites for family members to use the application. I thought of exploiting this functionality by entering some Invalid Emails !

Okay, So I was successful in sending Email to the Invalid Emails xD Yeah, Sounds crazy right ?

Photo by Sebastian Herrmann on Unsplash

Afterwards I checked how different companies treat the bounce emails. The biggest marketplace of cloud (Amazon Web Services) with a Email Service known as AWS SES was having a hard bounce rate of 10% (A hard bounce is an email that couldn’t be delivered for some permanent reasons. Maybe the email’s a fake address, maybe the email domain isn’t a real domain, or maybe the email recipient’s server won’t accept emails or simply a mistyped Email) , that means from total of 1000 Emails if 100 of them were fake or were invalid that caused all of them to bounce, AWS SES will block your service.

Seems good ? I checked policies of AWS SES (Simple Email Service) related to bounce rates, how this all works. Here’s how AWS SES works whenever a Email is bounced.

Photo by AWS SES

The complete process that was going in a nutshell was, I was able to invite as many family members to use the Web App, but even if I enter a invalid email , invite was sent.

Reported this issue and as it was a bug, The team took some to understand what all was going on, but within a week the bug was Triaged and rewarded with a bounty $$$

Thanks for reading !

Happy Hunting :)