Able to Corrupt the Okta Verify App on iPhone

We created a custom “Send Push Verify Activation Link” email and the editor made a typo in the link that is sent in the email. Clicking on this link, I guess surprisingly not sanitized, and it was possible for us to permanently destroy the Okta Verify app on the iPhone. The only solution was re-installation.

Android continued to function properly.

The typo in question dropped a quotation mark:

<a id=“push-verify-activation-link” href="${pushVerifyActivationLink} style=“text-decoration:none”>

so in essence, the link “${pushVerifyActivationLink} style=” is sufficient to cause significant breakage. The link rendered as “https://XXXXXX.okta.com/auth/push/link/XXXXX-XXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXX%20style=

The app pops up and then breaks and is unable to be opened or to approve push notifications from other sites.

Of course we fixed the typo, but thought Okta should be made aware :slight_smile:

@nachopescado Could you create a Support case with Okta Support for this issue ?

I guess! I don’t really need support though, as we fixed the issue on our end. Does a support ticket need to be created for your internal process?