Domain Aliases can be created by sending mails from different and unrelated emails

[AOiegas]

Build:

• Stage;

Affected Platforms:

• Across platform;

Browsers tested on:

• Firefox, latest version;

Prerequisites:

• Be signed in into a Firefox Relay account with an active subscription;
• Have a Subdomain name set;
• Have a second email address, unrelated from the Relay account, to send emails from;

Steps to reproduce:

1. From the second email address send a mail to a set Subdomain address (e.g. something@subdomain.mozmail.fxprivaterelay.nonprod.cloudops.mozgcp.net );
2. Go to https://stage.fxprivaterelay.nonprod.cloudops.mozgcp.net/accounts/profile/ ;
3. Observe the generated aliases list;

Expected result:

• There is no newly created Subdomain Address;

Actual result:

• The Subdomain Address was created without issue;

Notes:

• This doesn’t seem to be intended as anybody with knowledge of the user’s Subdomain name can create numerous aliases without the user’s consent;
• In the screenshots I have marked the forwarded number of the alias in question because the initial sent email, the one that creates it, is the first one counted;
• To be noted that the "Get unlimited aliases" button is present because of a bug, the account has an active subscription in fact;

[groovecoder]

This is actually by design - this enables the “offline” relay experience. E.g., you check in at hotel XYZ that wants an email address. You say “hotelXYZ@cratez.mozmail.com” and it starts working immediately - you don't have to create it before-hand.

We can consider some ways to mitigate abuses like you mention. E.g., we could limit domain aliases created by any particular sender, a sender only gets to create a single alias.