Zomato: Persistent input validation mail encoding vulnerability in the "just followed you" email notification.

ID H1:114879
Type hackerone
Reporter pr0tagon1st
Modified 2016-04-07T04:50:06


This vulnerability allows an attacker to add custom html/js code to emails that are then sent to other users of zomato.com.

This vulnerability can be reproduced by any normal user (ie. unprivileged accounts) by editing their profile's "your full name" field with malicious code. This is not possible during registration as that input is filtered, however, it is possible when editing the user profile as no filtering of the "your full name" field is done at that point.

This vulnerability could be used to inject an img or iframe with an external js source that could expose a user's cookie information.

These are the steps to reproduce it:

  1. Register and verify an account with zomato.com
  2. Browse to the "edit user profile" page as a logged in user.
  3. Inject the desired html/js payload into the "Your full name" field.
  4. Save your profile.
  5. Browse to another user's profile.
  6. Click the "Follow" button.
  7. Other user will receive a "<payload> has just followed you!" email within a few minutes that contains the html/js payload in the subject and body.

I have used these payloads to confirm the vulnerability: "&gt;&lt;"&lt;img src="x"&gt;%20%20&gt; "&lt;iframe src=a&gt;%20&lt;iframe&gt; &lt;img Src="http://goo.gl/JPx2sV" onload=alert("PENTEST")&gt;%20%20&gt; "&lt;iframe Src=a&gt;%20&lt;iframe&gt;

And this is part of an email message I received that contains one of the payloads: &lt;span style="color: white; font-size: 22px; line-height: 24px; display:block;"&gt;&lt;a href="https://www.zomato.com/users/ltimg-srcquothttpgoogljpx2svquot-onloadalertquotpentestquotgt2020gt-quotltiframe-srcagt20ltiframegt-33442340?ref=email_follow_back_follower_link_1" style="text-decoration: none;color: white;"&gt; &lt;strong&gt;&lt;img Src="http://goo.gl/JPx2sV" Onload=alert("PENTEST")&gt;%20%20&gt; "&lt;iframe Src=a&gt;%20&lt;iframe&gt; &lt;/strong&gt; &lt;/a&gt; just followed you.&lt;/span&gt;

Which shows the unfiltered payload a victim would receive.

The accounts I have used for this test all use the email *@mattscodecave.com.