For webinar programs, I have auto-responder confirmation emails that tokenize the lead first name after someone registers. I was forwarded the below description of how this could potentially be exploited to send out malicious/phishing links to other people. Has anyone encountered this issue coming up? How did you deal with an issue like this?
Bug Type : Hyperlink Injection
A user can change their name to a URL in order to send email invitations containing malicious hyperlinks.
Steps to Reproduce:
Request for a new account with the first name https://www.google.com
You will receive the auto-responder confirmation email where you can see the injected url ..
You will receive a new email with the first word being a link to a potentially malicious site.
This permits users to send malicious/phishing links to potential clients. It could also have an effect on how spam filters treat your emails.