DEV Community

Discussion on: Send e-mails directly from front-end with JavaScript 💥💥

Collapse
 
franky47 profile image
François Best • Edited

You could probably use that USER_ID from the devtools console of the appropriate domain and send whatever you want, impersonating the domain owner.

Edit: the FAQ of the service indicates you can only send predefined template emails, but template variable injection could be abused.

Thread Thread
 
mikenikles profile image
Mike

Yeah that's somewhat a relief 😅. As a bad actor, I could still send thousands of messages, potentially causing increased cost or worse, the email account getting blocked.

This service seems convenient at first, but with today's serverless solutions it's worth building a backend solution that is properly secured.

Thread Thread
 
xr0master profile image
Sergey Khomushin

There is no way you can solve this problem by creating your solution. As a bad guy, I can just as well call your API for your form.