Member preview

Open Redirects & Security Done Right!

Screenshot of StartupTree.co Homepage (06/18/2018)

Everything is vulnerable, as they say. The trend seems to be getting worse with the ever increasing number of connected “smart” devices.

What matters is, how one addresses what is vulnerable and how quickly.

Yesterday, my regular Monday morning started with a 32 oz. mug of coffee and receiving an email invite to join an online network from a random member of University of Nebraska Omaha, who probably mistook my highly common name for someone else at the university. Nevertheless, I went ahead and signed up for the cool-looking site, StartupTree. There’s something about the buzzwords “entrepreneurship”, “startups”, “venture capitalists” etc. that send me back to my undergraduate years!

Moments later, I noticed the signup page was using a GET parameter in the URL called next. As any web developer would probably be familiar with, GET parameters named “next” or “url” are typically used to redirect the user to a specified (typically internal) URL post signup or login, such as the user account Dashboard. That is:

https://*.startuptree.co/login?next=<.../some/internal/page>

There I found a simple yet dangerous Open Redirect Vulnerability (CWE-601). Upon changing the value of next parameter to an external domain URL, such as https://google.com the website redirected the user to the external page.

Open Redirect vulnerability on StartupTree

Aha! As expected, I got redirected to Google! This was enough for demonstration purposes.

Open Redirects may appear to be simple, innocuous flaws but can actively be exploited by attackers to conduct convincing phishing attacks. The success of such attacks is in part due to the fact that the domain part of the URL is in fact legitimate, making the URL look 'clean' to an unsuspecting user. The website is still https://*.startuptree.co and anything afterwards can easily be encoded and masked. A malicious actor, for example, could make a user login on StartupTree’s page and replace the next parameter’s value with a phishing webpage: a page impersonating StartupTree and asking for the user’s billing information. For example:

https://*.startuptree.co/login?next=http%3A%2F%2Fphishhh.top%2Fpage

Noticing the vulnerability, I immediately reached out to StartupTree support expecting little; a response, if at all — from what has been learned in the past: folks take security lightly until something catastrophic happens. Look at the Panera Bread case or my frustrating firsthand experience with Tech.

06/18/2018 8:04 AM ET: Initial Vulnerability Report to StartupTree

…And, merely 7 minutes later, the Founder of the company, Peter Cortle responded, reassuring me that an immediate action was being taken.

06/18/2018 8:11 AM ET: CEO’s timely response

Much to my surprise, I further received a thank you note from Peter along with an honorarium — a $100 check for helping out! That was completely unexpected! It definitely made my day and, of course, the vulnerability was remediated the same day within a moment’s notice!

Surprise Bounty for Vulnerability Reporting

Way to go, StartupTree! An ideal example of vulnerability patching done right! I hope other startups and established companies can learn from this experience too— and I don’t necessarily mean just offering researchers compensation, although it’s much appreciated.

Don’t wait to release a fix until …there’s no other choice left. Even seemingly minor vulnerabilities can have a major impact on your company’s finances and brand reputation.

© 2018. Akshay Sharma. All Rights Reserved.