Hijack all emails sent to any domain that uses Cloudflare Email Forwarding

The Email Routing feature enables Cloudflare users to create any number of custom email addresses and route all incoming messages to the user's preferred inboxes. Due to a bug in zone ownership verification, it was possible to configure Email Routing to redirect e-mail messages for an unverified zone (with Email Routing enabled) to a different mailbox. In addition, the vulnerability allowed the e-mail forwarding configuration created by the zone owner to be overwritten. The issue has since been fixed by the Engineering team and zone ownership verification is working as expected when setting up Email forwarding rules. We investigated the exploit and validated it had only been found by the security researcher who responsibly disclosed the issue.