The “P5” Link Injection Story
Hello guys! As soon as I posted this tweet, I got loads of DMs asking questions about it, so I decided to do a small writeup. Even though it is a P5 in bug crowd, it was triaged in this program. So, Let’s begin!
It was my mom’s and sister’s birthday(Yes, they’re b’day twins), so I decided to order some food. After placing an order, the restaurant sent an “Order Successful” email, which confirmed that the order was placed successfully.
The email had the items I had ordered and the restaurant's address. Now here’s the thing:
As you can see above “PH.NO” under the restaurant address is blue in color, which means it is a link. I sent in a report mentioning that “PH.NO” is rendered as a link and not as text, and they said that it is because of the email provider, however, they assured that they might fix this later by using “Ph:” instead of “PH.NO”.
Thank you so much for reading this one. I’ll be doing some more writeups in the coming days. For updates, follow me on twitter if you haven't already: https://twitter.com/silentbronco. My DMs are always open to everyone!
Have a great day!
