Uploaded image for project: 'Statuspage'
  1. Statuspage
  2. STATUS-305

Subscribing using a webhook with a payload can allow an attacker to send a payload with an email

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      We were recently made aware of a bypass for the webhook url functionality that allows an attacker to send a payload with an email. 

      Steps to Reproduce

      1. Navigate to a status page with webhook subscriptions (ex: OpenSea: https://status.opensea.io/#updates-dropdown-webhook)
      2. Click the Subcribe To Update button
      3. Choose the updates-dropdown-webhook
      4. Putting a payload in Webhook URL: https://opensea.com@_says_that_donate_some_etherreum_here//attacker@wearehackerone.com
      5. Put the victim Email Address then hit the button Subscribe

      Expected Results

      The email does not contain a clickable link

      Actual Results

      The webhook url is clickable and may be malicious.

      Workaround

      Disable webhook subscriptions if the customer wishes to.

        1. [Sith Status the great status] Subscription created (1).eml
          21 kB

            Unassigned Unassigned
            ezhong2@atlassian.com Erica Zhong
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: