Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URL.
When apps and web pages have requests for URLs, they are supposed to verify that those URLs are part of the intended page’s domain. Open redirect is a failure in that process that makes it possible for attackers to steer users to malicious third-party websites. Sites or apps that fail to authenticate URLs can become a vector for malicious redirects to convincing fake sites for identity theft or sites that install malware.
Here is how Oneplus website was vulnearble with this vulnerability.
So, whenever after signing in to your account, you try to sign out, the request is sent to the web server that the account needs to be logged out and the page should redirect to the OnePlus Homepage. Here, is where the vulnerability lies, the redirect url was not being validated by the server and as a result if we edit the Response header by intercepting the traffic with BurpSuite, and change the redirected url to some other malicious website, it will redirect to the target url after logging out. This can be exploited because the modified malicious url will have the redirect parameter set to the malicious website url but the Host URL remains the same as Oneplus and to the victim it seems that the url is genuine oneplus url.
VULNERABLE domain: https://account.oneplus.com
Steps to Reproduce:
- Go to https://www.oneplus.in
- Sign in with oneplus account.
- Turn on intercept on in BurpSuite and try to sign out.
- The Request will be intercepted in BurpSuite. In the header, search for the parameter “callback” and replace the oneplus homepage url with anything else (eg: bing.com).
- Forward the packet and turn the intercept off.
- in the browser, it will now signout from the oneplus account but will redirect to BING homepage.