Email marketers have another issue to worry about: A security researcher says an email security vendor is leaving email domains open to phishing attacks.
That charge, which was first reported by Axios, was made by independent researcher Marcello Salvati.
According to that report, Salvati built a tool that allows hackers to send an email “from whatever MailChannel customer domain name they want without verifying if they own the domain.”
The number of possibly exposed email addresses, according to the loud Axios headline: 2 million.
That doesn’t mean the addresses have been hacked — only that there may be an opening.
The flaw, according to Salvati, is that MailChannels — unlike other email vendors — does not require clients to prove they own a domain before they can send emails, according to Axios.
That is because its clients — mostly web-hosting companies — use email to send password resets or signup confirmations.
Moreover, the spam detection tools utilized by MailChannels are easy for a bad actor to bypass, the report alleges.
Salvati says on LinkedIn that the first of two demos he performed “demonstrates impersonating Satan (spoofing an email from firstname.lastname@example.org). He continues: “This second demo demonstrates that it was possible to spoof email from any of MailChannel's customer domains even with DMARC + DKIM configured.”
Salvati also provides “the code for the Cloudflare Worker" that he said allows spoofing of "domains via MailChannel's transactional API.”
MailChannels CEO Ken Simpson responded to the Axios report after publication by writing: “Mailchannels sends emails for 30 million different domains that are hosted behind over 600 web hosting provider networks.”
Simpson also states that Salvati’s research points to a broad, well-known flaw in the DMARC standard.
He continues: “We cannot force every domain owner to verify the ownership of their domain because domain owners do not even authenticate domain ownership with their own hosting provider."
That said, MailChannels is offering a new security product called Domain LockDown.
Again, there does not seem to be actual harm as yet from the purported exposure.
MailChannels had not yet responded to a request for comment at deadline.