This finding is special for me because it is my first valid vulnerability that was responsibly disclosed and acknowledged by the security team. As a beginner, moments like this build confidence and motivate me to keep learning and improving my skills.
I discovered this issue while casually testing a SaaS platform's registration flow to understand how user input behaves in real applications. I didn't use any advanced tools just curiosity, observation, and basic testing techniques. In this write up, I'll share what I found and how I found it
๐ค Responsible Disclosure
The issue was responsibly reported to the platform's security team and has been acknowledged and fixed.
No sensitive technical details are shared in this article intentionally.
Introduction
What is Hyper Link Injection?
Hyperlink injection occurs when user input is displayed without proper filtering and automatically becomes a clickable link. If this happens inside trusted content like system emails, users may unknowingly click attacker-controlled links, creating phishing risk.
How I Find it?
While I was not getting any findings from bug bounty platforms, I decided to improve my skills by doing Google dorking and exploring random websites.
Step 1:Testing the Registration Form
During this process, I came across a website and opened its registration page. I carefully looked at the input fields available:
- First Name
- Password
I started thinking about how user input is handled in these fields. Since I had previously read a Medium article about Hyperlink Injection (HLI), I suspected that the First Name field could be an interesting place to test this behavior.
Normally, people enter a real name in the First Name field. Instead, I entered a value that looks like a website:
evil.com
I wanted to see how the system would handle this input during the registration process.
Step 2: Checking the Verification Email
After registration, the system sent a verification email (normal behavior).
I opened the email and looked carefully at the greeting text.
It appeared like this:
Hi Evil.com
But here's the important part: The text was automatically converted into a clickable hyperlink by the email client.
That means when someone clicks on the text, the browser opens that external site
This happened automatically โ the application itself didn't create a link, but the email client detected something that looked like a URL and converted it into a clickable link.
Step 3 โ Understanding Why This Is Dangerous
Verification emails are highly trusted by users. When someone receives a signup or verification email, they usually trust everything inside it and click without thinking too much.
If attacker-controlled text becomes clickable inside a trusted email:
- Users may click it without suspicion
- They may be redirected to an external website
- This can be abused for phishing or fake pages
This creates a trust abuse scenario.
The danger is not the link itself โ the danger is where it appears: inside a trusted system email.
Step 4โ Reporting
After testing and confirming the behavior, I responsibly reported the issue to the organization's security team with proper details and proof of concept. The team acknowledged the report and later fixed the issue.
Closing
This finding reminded me that security issues are often hidden in small details โ not only in login pages or APIs, but also in emails and user communication flows.
Thank youu!!