Bug Bounty: Vulnerability In customer.io

Hi there,

First of all sorry for this long pause from my side I was busy in somethings and it took me some time to sort out all the things.

So in this post I am going to discuss about a vulnerability I found in customer.io.

About customer.io:-
A light integration sends the Customer.io platform customer behavior data from your web or mobile app. Then you can start sending messages based on what users do or don't do after they log in. Increase engagement, revenue, and customer success.

I was looking at SPF record of some company and i found the that some companies have customer.io in their spf record the are allowing customer.io to send emails on their behalf.
SO i directly went to customer.io and created an account.
after creating an account I created a template for sending this as an email.
Now you can add as many email account you want for sending email so I tried saving an email of a site which have customer.io in their spf record. The email address no-reply@example.com(I dont want to disclose the website).
the email was added succesfully but after this one problem arised that customer.io doesnt let me send the email from that second email address i have added to my account.
so there are two conditions:-

1. When creating an account you have to verify the email address.
2. You can only send the email from the email you have used while creating the account.

So i tried some ideas like sending an email capturing that request with burp and modifying the email  but these doesn't work.

While adding the email there was an option to edit my primary email. thats looks something vulnerable to I clicked on edit the email and editing my primary email to no-reply@example.com and it was successful. Now I can send the emails on the behalf of the customers of that company.

First of all I reported this to some of his customers who were vulnerable to this after that i wrote and email to customer.io and explained this to them.
they told me that they are fixing this ASAP but since they dont have an bug bounty program they are no rewarding me anything. That was fine because I dont this testing for exploring and gaining knowledge.

They send me reply >24 hour of reporting this and I was happy with their quick response.


They did two thing to fix this vulnerability first of all they blocked my account. 😁😁😁😁😁😁😁😁😁😁. and after that they added domain verification whenever you try to add an email you have to verify its ownership. 

Hope you liked it 

Jitendra K Singh(Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!