Algolia: Hyperlink Injection in Friend Invitation Emails

ID H1:164833
Type hackerone
Reporter corb3nik
Modified 2016-10-07T11:35:54



A user can change their last name to a URL in order to send email invitations containing malicious hyperlinks.

Steps to Reproduce

  1. Create a new Algolia account with the last name
  2. Navigate to My Account > Referrral
  3. Send an invitation to an email address that you control

You will receive a new email with the last name being a link to a potentially malicious site.


This permits users to send malicious/phishing links to potential clients. It could also have an effect on how spam filters treat emails.