We had launched ThumbGenie AI couple of months ago and it is one of our faster growing product. With the faster growth also comes more attention from unwanted vistors. We had developed the app in a secure way but had one small issue where we send welcome email to the users registering with our app and had no validation on the name of the registered users. There is no SQL injection attack possible as we filter all the data for the injection attacks but the problem was accepting also the URLs within the name. So someone got the list of 3K+ emails want to send the link to their website used our signup page to register the users from different many different IPs with the name containing their link. Many of the emails has been blocked by email server after identifying the as spam but some hundreds of email has been sent out.

Most of the attacks usually happen to steal the data from website, but this one was slightly different where they wanted to use our email server to send emails using our signup email where it will contain the link in the name on the signup email. I don’t think this effectively benefit the sender as anyone look at the email can sense the links are spam, but we could have prevented by having a simple validation already in place.

As an effective measure we have implemented Google reCAPTCHA to avoid anyone performing automatic signup also implemented validations on the name field. We can assure to our existing users there were no data leak happened but an attempt to register new users without their concern. We have addressed the issue now and implemented safe measures.

Thank you for reading this.