Description

Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/general 
2) Set your full name as "Your account has been hacked please visit evil.com"
3) Save changes
4) Perform any activity that will lead to triggering an email on the victims registered email address (Password change / request to enable 2FA)
5) Victim will receive an email where evil.com is in the form of  a hyperlink 
6) As soon as he will click on evil.com he will be redirected to the malicious website

Let us consider a scenario where the user has left his account open in a cafe or library . Attacker gets access to the account , will change Full name to Your account has been hacked please visit evil.com , evil.com will be in the form of a hyperlink in the email received by the user. As soon as victim clicks , he is redirected to malicious website

Mitigation: Full name is a field that requires only alphabets (in worst case some may have numbers) , prevent all entries of special characters including a ' . '

As soon as he click


# Impact

An attacker can redirect victim to malicious website