Hijacking email with Cloudflare Email Routing
On Tuesday, December 7th 2021 I discovered a critical vulnerability in Cloudflare’s Email Routing service. This vulnerabilty enabled anyone to modify the routing configuration of any domain using the service. A bad actor could have overwritten the destination address to their own email address in order to read any email sent to the victim’s domain. The bug has since been fixed and Cloudflare has kindly allowed me to publish this write-up....