-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email redirects to phishing site when opened on a mobile device #572
Comments
hi @zackslash, thx for your report! Anyhow, we will do some more research on this topic and take extra measurements to prevent such things from happening in the future. |
Hey @RubenHollevoet, We have been able to replicate this on multiple iOS devices (multiple individuals across multiple geographical locations). It seems to be replicable when creating any new party but only seems to redirect participants using iOS devices. |
I've had more reports that this is also happening on Android devices, so it does not seem limited to iOS. Looking at the request flow; It seems like the redirect may be started by 'invoke.js', additionally; I tested blocking the domain 'highcpmcreativeformat.com' at DNS level and that stops the redirects to the phishing site from happening, so I suspect this URL could be publishing malicous code on your site. There are multiple embeds of that site in this project, for example: SecretSanta/templates/Participant/show/valid.html.twig:112
|
I can say I am currently experiencing the same. As well as my participants. |
disabled adsterra stuff and discussing with marketing people |
I'm getting reports from my parents of mobile asking for credit card information and claims of this being a paid service. neither have ad blockers on. |
That's not good at all! Can you email your management page to? tom.vanlooy at iodigital dot com? |
We have used this app in previous years but this year when emails are recieved and the "Find out your person" link on a mobile device is pressed it is redirecting participants to a Phishing site. This has been reported from multiple participants.
Note: This only seems to happen when the link is opened on a mobile device, it does not happen on desktop.
Note2: Canceling your party will stop participants who have not yet clicked the link from being redirected to the phishing site (instead they will recieve an error).
The text was updated successfully, but these errors were encountered: