What is Hyperlink Injection, its basically spoofing or injecting a link when sending an email invitation.
Its a P5 according to bugcrowd, but some companies might consider it as a serious issue so report if you find it, might get paid.
How do you find it, pretty simple. Lets consider the Missive app, its an email/chat app for a group of people or a team. You create an organization and then add people in it and they can join in via email-invitation which looks like this.
Here, the organization name(Whatnow), my first name(John) and last name (Cena) are reflected, from here you can try to change any 3 names to a link and see if its shown in the email. For eg. I tried to change the organization name and it didn’t look like a link. They add a space after the dot in the URL.
The only place left was to change my name to a link, so i changed my name to www.evil.com saved it and then sent the invite again which looked something like this.
There you have it, Hyperlink Injection. I know it looks pretty obvious that there is a malicious link in the email, so to make it less suspicious i changed my name to John [Also special discount for new users go to www.evil.com for 50% off]
I think that looks pretty neat.
Same goes to UsabilityHub, a platform for online surveys and tests. They also had a feature to invite a member in their team and after changing the name to a URL the email invitation looked like this.
Although its a paid feature the security team hooked me up to a paid account for it to try.
Now some companies pay might vary on what they think about the severity of the bug. In the case of Missive, they considered it as a low severity.
Some don’t consider it.
Some pay good.
And some pretty GOOD.
Thanks to Missive and UsabilityHub for allowing me to disclose the issue. Both platforms fixed the issue pretty quickly. Hope you guys know what Hyperlink Injection is now.
Follow me on twitter — https://twitter.com/abhishekY495
Thank you.
