The “P5” Link Injection Story

Hello guys! As soon as I posted this tweet, I got loads of DMs asking questions about it, so I decided to do a small writeup. Even though it is a P5 in bug crowd, it was triaged in this program. So, Let’s begin!

P5 → P4 →P?

It was my mom’s and sister’s birthday(Yes, they’re b’day twins), so I decided to order some food. After placing an order, the restaurant sent an “Order Successful” email, which confirmed that the order was placed successfully.

Order Successful Email

The email had the items I had ordered and the restaurant's address. Now here’s the thing:

PH.NO is rendered as a link.

As you can see above “PH.NO” under the restaurant address is blue in color, which means it is a link. I sent in a report mentioning that “PH.NO” is rendered as a link and not as text, and they said that it is because of the email provider, however, they assured that they might fix this later by using “Ph:” instead of “PH.NO”.

Thank you so much for reading this one. I’ll be doing some more writeups in the coming days. For updates, follow me on twitter if you haven't already: My DMs are always open to everyone!

Have a great day!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store