phishing with html

TL;DR: HTML inection within money request mail leads to phish.

I recently found a html injection vulnerability within Paypals money request function.

I was able to inject html code into a money request mail send from Paypal
to a victim user and turned it into a neat phishing mail.

injection point

keine<br><br><b>Hinweise von Paypal<br>Achtung!!</b> Dein Kontostand ist <b>negativ.<br><A HREF=“″>Jetzt handeln!</A><br>Dein Paypal Team.

The phishing mail sent through Paypal.


  • 20.01.2015 vulnerability discoverd
  • 22.01.2015 bug reported to paypal
  • 26.01.2015 paypal confirmed the issue
  • 28.01.2015 fix and reward