IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent
While I was looking into my emails to unsubscribe from them, then there was mail from confluent. On copying the link, I found a subdomain https://sdr.confluent.io. Changing the id parameter allowed any user to be unsubscribed from confluent mails along with that it allowed content spoofing and after submitting on unsubscribing it redirected to the homepage. So after changing URL from homepage to any website.
Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application
Open Redirects are invalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.
Insecure Direct Object Reference refers to when a reference to an internal implementation object is exposed to users without any proper access control setting.
It is vulnerable to Content Spoofing and URL redirect and idor.
1) Click on the URL.
2) Add parameter &message=ALERT &unsubscribe_redirect_url=https://xxx.org
3)Click on Unsubscribe
4) It redirects to www.xxx.org
There is possibility that this might be leveraged for phishing attacks.
Any malicious User can Unsubscribe anyone that have subscribed to emails by simply brute-forcing id parameter and it can be used to spoof the message to click on unsubscribe which will redirect to malicious website.
Since it was the simple business logic error. So, providing id and message field and replacing with signature so that input cannot be provided externally.
Since this issue was third party issue as mail is under managed services and didn’t come directly under confluent but organization responsible for the issue confirmed that the issue has been remediated and the fix has been implemented.
06/29/2018: Discovered and reported to confluent team
06/29/2018: Bug confirmed
08/17/2018: Bug fixed by third party and confirmed by confluent team
08/30/2018: Confirmed for public disclosure
28/09/2018: Published POC