AnsweredAssumed Answered

Token Security in Auto-Responder Emails?

Question asked by 38dd8d7f5fc9a84f885922a8e68bc9c666c94a5e on Dec 6, 2016
Latest reply on Jan 3, 2017 by sanford.whiteman

For webinar programs, I have auto-responder confirmation emails that tokenize the lead first name after someone registers. I was forwarded the below description of how this could potentially be exploited to send out malicious/phishing links to other people. Has anyone encountered this issue coming up? How did you deal with an issue like this?

 

 

=====================================================================================

Bug Type : Hyperlink Injection

Description:

A user can change their name to a URL in order to send email invitations containing malicious hyperlinks.

Steps to Reproduce:

Request for a new account with the first name https://www.google.com

You will receive the auto-responder confirmation email where you can see the injected url ..

You will receive a new email with the first word being a link to a potentially malicious site.

Consequences

This permits users to send malicious/phishing links to potential clients. It could also have an effect on how spam filters treat your emails.

Outcomes