Subscribing using a webhook with a payload can allow an attacker to send a payload with an email

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      We were recently made aware of a bypass for the webhook url functionality that allows an attacker to send a payload with an email. 

      Steps to Reproduce

      1. Navigate to a status page with webhook subscriptions (ex: OpenSea: https://status.opensea.io/#updates-dropdown-webhook)
      2. Click the Subcribe To Update button
      3. Choose the updates-dropdown-webhook
      4. Putting a payload in Webhook URL: https://opensea.com@_says_that_donate_some_etherreum_here//attacker@wearehackerone.com
      5. Put the victim Email Address then hit the button Subscribe

      Expected Results

      The email does not contain a clickable link

      Actual Results

      The webhook url is clickable and may be malicious.

      Workaround

      Disable webhook subscriptions if the customer wishes to.

        1. [Sith Status the great status] Subscription created (1).eml
          21 kB

              Assignee:
              Unassigned
              Reporter:
              Erica Zhong (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: