SMS Injection
Including unvalidated user input in SMS messages allows attackers to inject newlines and craft fraudulent messages appearing to come from your application.
How It Works
SMS bodies are plain text. Newline characters (\n) can split an SMS into multiple messages or inject content that appears on a new line — tricking recipients into thinking additional text is part of the official message. This is used to send fake payment confirmations or phishing links in your app's name.
// BAD: user input directly in SMS body — newlines can inject content
const message = `Your verification code is: ${req.body.code}`;
await twilioClient.messages.create({ body: message, to: userPhone });// GOOD: sanitize input and use an allowlist for SMS content
const code = req.body.code?.replace(/[^0-9]/g, '').slice(0, 8);
if (!code) return res.status(400).json({ error: 'Invalid code' });
const message = `Your verification code is: ${code}`;
await twilioClient.messages.create({ body: message, to: userPhone });Real-World Example
SMS injection attacks have been used to spoof bank alerts and OTP messages in multiple reported fraud cases. Attackers use newline characters to inject fake balance information or malicious links after a legitimate-looking first line.
How to Prevent It
- Never include raw user input in SMS body — always sanitize and validate first
- For verification codes, use a strict allowlist (digits only, max 8 chars)
- Use Twilio's or your SMS provider's content filtering options
- Log all outbound SMS content for anomaly detection
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Email Spoofing (Missing SPF/DKIM/DMARC)
mediumWithout SPF, DKIM, and DMARC DNS records, anyone can send emails claiming to be from your domain — enabling phishing attacks against your users.
Push Notification Injection
lowIncluding unsanitized user input in push notification payloads allows attackers to craft misleading notifications in your app's name.