Instacart: Hyperlink Injection in Friend Invitation Emails

ID H1:158554
Type hackerone
Reporter corb3nik
Modified 2016-09-12T19:59:24



A user can change their name to a URL in order to send email invitations containing malicious hyperlinks.

Steps to Reproduce

  1. Create a new Instacart account with the first name
  2. Navigate to
  3. Send an email invitation to an email address that you control

You will receive a new email with the first word being a link to a potentially malicious site.


This permits users to send malicious/phishing links to potential clients. It could also have an effect on how spam filters treat emails.