Whisper: SMS Invite Form Abuse

whisper.sh fails to protect the invite form from abuse from attackers. If a malicious individual wants to abuse this functionality, they could send repeated/automated requests to the same phone number or range of phone numbers that do no actually belong to himself. This would result in lots of...

Whisper: Host Header Injection/Redirection

whisper.sh is vulnerable to host header injection because the host header can be changed to something outside the target domain ie. whisper.sh and cause it to redirect to to that domain instead see below. Attack vectors are somewhat limited but depends on how the host header is used by the back-e...