Algolia: Hyperlink Injection in Friend Invitation Emails

2016-08-31T20:08:40
ID H1:164833
Type hackerone
Reporter corb3nik
Modified 2016-10-07T11:35:54

Description

Description

A user can change their last name to a URL in order to send email invitations containing malicious hyperlinks.

Steps to Reproduce

  1. Create a new Algolia account with the last name http://example.com.
  2. Navigate to My Account > Referrral
  3. Send an invitation to an email address that you control

You will receive a new email with the last name being a link to a potentially malicious site.

Consequences

This permits users to send malicious/phishing links to potential clients. It could also have an effect on how spam filters treat algolia.com emails.