Open Redirects & Security Done Right!

Ax Sharma
Ax Sharma
Jun 19, 2018 · 4 min read
Image for post
Image for post
Screenshot of StartupTree.co Homepage (06/18/2018)

Everything is vulnerable, as they say. The trend seems to be getting worse with the ever increasing number of connected “smart” devices.

What matters is, how one addresses what is vulnerable and how quickly.

Yesterday, my regular Monday morning started with a 32 oz. mug of coffee and receiving an email invite to join an online network from a random member of University of Nebraska Omaha, who probably mistook my highly common name for someone else at the university. Nevertheless, I went ahead and signed up for the cool-looking site, StartupTree. There’s something about the buzzwords “entrepreneurship”, “startups”, “venture capitalists” etc. that send me back to my undergraduate years!

Moments later, I noticed the signup page was using a GET parameter in the URL called next. As any web developer would probably be familiar with, GET parameters named “next” or “url” are typically used to redirect the user to a specified (typically internal) URL post signup or login, such as the user account Dashboard. That is:

https://*.startuptree.co/login?next=<.../some/internal/page>

There I found a simple yet dangerous Open Redirect Vulnerability (CWE-601). Upon changing the value of next parameter to an external domain URL, such as https://google.com the website redirected the user to the external page.

Image for post
Image for post
Open Redirect vulnerability on StartupTree

Aha! As expected, I got redirected to Google! This was enough for demonstration purposes.

Image for post
Image for post

Open Redirects may appear to be simple, innocuous flaws but can actively be exploited by attackers to conduct convincing phishing attacks. The success of such attacks is in part due to the fact that the domain part of the URL is in fact legitimate, making the URL look 'clean' to an unsuspecting user. The website is still https://*.startuptree.co and anything afterwards can easily be encoded and masked. A malicious actor, for example, could make a user login on StartupTree’s page and replace the next parameter’s value with a phishing webpage: a page impersonating StartupTree and asking for the user’s billing information. For example:

https://*.startuptree.co/login?next=http%3A%2F%2Fphishhh.top%2Fpage

Noticing the vulnerability, I immediately reached out to StartupTree support expecting little; a response, if at all — from what has been learned in the past: folks take security lightly until something catastrophic happens. Look at the Panera Bread case or my frustrating firsthand experience with Tech.

Image for post
Image for post
06/18/2018 8:04 AM ET: Initial Vulnerability Report to StartupTree

…And, merely 7 minutes later, the Founder of the company, Peter Cortle responded, reassuring me that an immediate action was being taken.

Image for post
Image for post
06/18/2018 8:11 AM ET: CEO’s timely response

Much to my surprise, I further received a thank you note from Peter along with an honorarium — a $100 check for helping out! That was completely unexpected! It definitely made my day and, of course, the vulnerability was remediated the same day within a moment’s notice!

Image for post
Image for post
Surprise Bounty for Vulnerability Reporting

Way to go, StartupTree! An ideal example of vulnerability patching done right! I hope other startups and established companies can learn from this experience too— and I don’t necessarily mean just offering researchers compensation, although it’s much appreciated.

Don’t wait to release a fix until …there’s no other choice left. Even seemingly minor vulnerabilities can have a major impact on your company’s finances and brand reputation.

To learn ethical hacking and get started with vulnerability hunting on your own, feel free to check out the The Complete Ethical Hacking Course Bundle.

© 2018. Akshay ‘Ax’ Sharma (Twitter). All Rights Reserved.

AxDB

Accidental eXposures Database (AxDB) — a publication…

Ax Sharma

Written by

Ax Sharma

Security Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Ax Sharma

Written by

Ax Sharma

Security Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store