Open Redirects & Security Done Right!

Ax Sharma
Ax Sharma
Jun 19, 2018 · 4 min read
Screenshot of StartupTree.co Homepage (06/18/2018)

Everything is vulnerable, as they say. The trend seems to be getting worse with the ever increasing number of connected “smart” devices.

What matters is, how one addresses what is vulnerable and how quickly.

Yesterday, my regular Monday morning started with a 32 oz. mug of coffee and receiving an email invite to join an online network from a random member of University of Nebraska Omaha, who probably mistook my highly common name for someone else at the university. Nevertheless, I went ahead and signed up for the cool-looking site, StartupTree. There’s something about the buzzwords “entrepreneurship”, “startups”, “venture capitalists” etc. that send me back to my undergraduate years!

Moments later, I noticed the signup page was using a GET parameter in the URL called next. As any web developer would probably be familiar with, GET parameters named “next” or “url” are typically used to redirect the user to a specified (typically internal) URL post signup or login, such as the user account Dashboard. That is:

https://*.startuptree.co/login?next=<.../some/internal/page>

There I found a simple yet dangerous Open Redirect Vulnerability (CWE-601). Upon changing the value of next parameter to an external domain URL, such as https://google.com the website redirected the user to the external page.

Open Redirect vulnerability on StartupTree

Aha! As expected, I got redirected to Google! This was enough for demonstration purposes.

Open Redirects may appear to be simple, innocuous flaws but can actively be exploited by attackers to conduct convincing phishing attacks. The success of such attacks is in part due to the fact that the domain part of the URL is in fact legitimate, making the URL look 'clean' to an unsuspecting user. The website is still https://*.startuptree.co and anything afterwards can easily be encoded and masked. A malicious actor, for example, could make a user login on StartupTree’s page and replace the next parameter’s value with a phishing webpage: a page impersonating StartupTree and asking for the user’s billing information. For example:

https://*.startuptree.co/login?next=http%3A%2F%2Fphishhh.top%2Fpage

Noticing the vulnerability, I immediately reached out to StartupTree support expecting little; a response, if at all — from what has been learned in the past: folks take security lightly until something catastrophic happens. Look at the Panera Bread case or my frustrating firsthand experience with Tech.

06/18/2018 8:04 AM ET: Initial Vulnerability Report to StartupTree

…And, merely 7 minutes later, the Founder of the company, Peter Cortle responded, reassuring me that an immediate action was being taken.

06/18/2018 8:11 AM ET: CEO’s timely response

Much to my surprise, I further received a thank you note from Peter along with an honorarium — a $100 check for helping out! That was completely unexpected! It definitely made my day and, of course, the vulnerability was remediated the same day within a moment’s notice!

Surprise Bounty for Vulnerability Reporting

Way to go, StartupTree! An ideal example of vulnerability patching done right! I hope other startups and established companies can learn from this experience too— and I don’t necessarily mean just offering researchers compensation, although it’s much appreciated.

Don’t wait to release a fix until …there’s no other choice left. Even seemingly minor vulnerabilities can have a major impact on your company’s finances and brand reputation.

To learn ethical hacking and get started with vulnerability hunting on your own, feel free to check out the The Complete Ethical Hacking Course Bundle.

© 2018. Akshay ‘Ax’ Sharma (Twitter). All Rights Reserved.

AxDB

Accidental eXposures Database (AxDB) — a publication…

Ax Sharma

Written by

Ax Sharma

Security Engineer | Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Ax Sharma

Written by

Ax Sharma

Security Engineer | Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store