Android HTML Injection in Email Abused for $$$

I found this bug while hunting on the android application. Simply you can try injecting HTML tags into any user input field that will get executed in the email. This is a low-hanging fruit 🍎🍎

Hello Folks, In this article I will explain Android HTML injection on email.

It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.

Personally, I enjoy hunting on android applications more than web apps. Because most of the time, if you find a small bug in android especially in Bug-Crowd or in Hacker-One, you will get a good bounty.

And also the severity of a small bug has more impact than a web app, moreover in the industry also android testers are very less as it requires some additional skillset and understanding.

Let's get started !! 😉

I logged in to the application after signup and went to the profile page!

There I have an option of updating the name.

Here I tried entering the SSTI payloads, but It didn’t work.

SSTI Payload Injected

Then I tried hyperlink injection, and went back to forgot page to send an email..it worked…….Great..!

HyperLink Injection

But the impact is low and most of the time company doesn’t consider hyperlink injection, because it requires some user interactions or social engineering to trick the user.

Then instead of the hyperlink, I injected an HTML underline tag, which is <u>Hacker</u>, and sent an email via forget the password.

Ohhhhhh…Injected successfully..!! 😂😂

Underline tag Injected in the email

Most of the time tester will stop here. But I try to inject more tags to show the impact.

Then I tried injecting the button tag…..again it is successful….!!

Button tag injected to email

Wow…!!

It’s really cool….

Then immediately I started making the report.

Happy Hacking 🥂🥂

Thanks for reading.

Please follow me for more writeups.