IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent

Divyanshu Shukla
Sep 28, 2018 · 2 min read


While I was looking into my emails to unsubscribe from them, then there was mail from confluent. On copying the link, I found a subdomain Changing the id parameter allowed any user to be unsubscribed from confluent mails along with that it allowed content spoofing and after submitting on unsubscribing it redirected to the homepage. So after changing URL from homepage to any website.


Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application

Open Redirects are invalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.

Insecure Direct Object Reference refers to when a reference to an internal implementation object is exposed to users without any proper access control setting.

Unsubscribe Link

It is vulnerable to Content Spoofing and URL redirect and idor.

Parameters vulnerable:
id= xxxxxx
message= xxxxxx



1) Click on the URL.
2) Add parameter &message=ALERT &unsubscribe_redirect_url=
3)Click on Unsubscribe
4) It redirects to

There is possibility that this might be leveraged for phishing attacks.


Any malicious User can Unsubscribe anyone that have subscribed to emails by simply brute-forcing id parameter and it can be used to spoof the message to click on unsubscribe which will redirect to malicious website.


Since it was the simple business logic error. So, providing id and message field and replacing with signature so that input cannot be provided externally.

Since this issue was third party issue as mail is under managed services and didn’t come directly under confluent but organization responsible for the issue confirmed that the issue has been remediated and the fix has been implemented.



06/29/2018: Discovered and reported to confluent team
06/29/2018: Bug confirmed
08/17/2018: Bug fixed by third party and confirmed by confluent team
08/30/2018: Confirmed for public disclosure
28/09/2018: Published POC


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store