IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent

Summary

While I was looking into my mails to unsubscribe from them, then there was mail from confluent. On copying the link, I found a subdomain https://sdr.confluent.io. Changing the id parameter allowed any user to be unsubscribed from confluent mails along with that it allowed content spoofing and after submitting on unsubscribe it redirected to homepage. So after changing url from homepage to any website.

Background

Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application

Open Redirects are invalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.

Insecure Direct Object Reference refers to when a reference to an internal implementation object is exposed to users without any proper access control setting.

Unsubscribe Link

Link:
https://sdr.confluent.io/api/mailings/1xxxx7/unsubscribe_html?id=1xxxx7&message=ALERT:%20THERE%20HAD%20BEEN%20A%20MASSIVE%20BREACH%20AT%20OUR%20DATA%20CENTER.%20KINDLY%20UNSUBSCRIBE%20AND%20RE-REGISTER%20AT%20https://xxx.org&org=03cc2586-0cbc-479a-a28c-25882d14226f&sig=tzKGVFwyxtfzk1KYmkZHOHWFWd4S7Bjnt-qePZ6RlmQ%3D&unsubscribe_redirect_url=https%3A%2F%2Fwww.openbugbounty.org
It is vulnerable to Content Spoofing and URL redirect and idor.

Parameters vulnerable:
id= xxxxxx
message= xxxxxx
unsubscribe_redirect_url= https://examplexxx.com

Content_Spoofing

POC

1) Click on the URL.
2) Add parameter &message=ALERT &unsubscribe_redirect_url=https://xxx.org
3)Click on Unsubscribe
4) It redirects to www.xxx.org
 
There is possibility that this might be leveraged for phishing attacks.

Impact

Any malicious User can Unsubscribe anyone that have subscribed to emails by simply brute-forcing id parameter and it can be used to spoof the message to click on unsubscribe which will redirect to malicious website.

Solution

Since it was the simple business logic error. So, providing id and message field and replacing with signature so that input cannot be provided externally.

Since this issue was third party issue as mail is under managed services and didn’t come directly under confluent but organization responsible for the issue confirmed that the issue has been remediated and the fix has been implemented.

Reference

https://hackerone.com/reports/201314
https://hackerone.com/reports/230328
https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/

Timeline

06/29/2018: Discovered and reported to confluent team
06/29/2018: Bug confirmed 
08/17/2018: Bug fixed by third party and confirmed by confluent team
08/30/2018: Confirmed for public disclosure 
28/09/2018: Published POC

#justmorpheus