Instacart: Hyperlink Injection in Friend Invitation Emails

2016-08-11T19:23:55
ID H1:158554
Type hackerone
Reporter corb3nik
Modified 2016-09-12T19:59:24

Description

Description

A user can change their name to a URL in order to send email invitations containing malicious hyperlinks.

Steps to Reproduce

  1. Create a new Instacart account with the first name http://example.com
  2. Navigate to https://www.instacart.com/store/referrals
  3. Send an email invitation to an email address that you control

You will receive a new email with the first word being a link to a potentially malicious site.

Consequences

This permits users to send malicious/phishing links to potential clients. It could also have an effect on how spam filters treat instacart.com emails.