Security issue with email sending - Email sender
As a core concept we enable users to send emails from a given email, that we do not check, to chosen officials
Currently no checks are done on the emails, whether sender or receiver, opening the possibility to use our forms maliciously
Most evident mis use :
- Impersonating someone by sending from their email to people they know
Issue contains 2 sides :
- People sending emails: Making sure that the "from" field is actually from the person that is using the platform.
- People receiving emails: Making sure that we are only sending emails to people targeted by campaigns Dedicated ticket here: #49 (closed)
Possible solutions :
- We send the user a validation email with a link. -> on click they land on a dedicated page at which point we actually send the email
- Enable user to connect their email account to the platform, after which we verify that it's their email & pass along validation key