I would first like to start off by saying that Fastmail has a great bug bounty program and they really care a lot about the security of their services and customers. I first started looking into their bug bounty program a few months back and not long after browsing through the web application I came across the following feature:

I discovered that using this feature I could make HTTP requests to any website using any port, including internal IP addresses. If you made a request to a server that did not contain a valid iCal file it would return an error with partial contents of the response body, which easily made it apparent that this was a valid security concern. The second thing I noticed is that if you included \r

in the URL path you could add custom headers, so in theory this could have been used as a way to protocol smuggle. Unfortunately I was not able to find any internal services that I could use to leverage this to remote code execution. However, while looking through the source of their website I was able to find a reference to an internal IP address which was running a webserver and I was able to pull partial contents of their internal web application.

I reported this vulnerability to their security team and was rewarded $1,000 for my find.