Summary by mohammadowais
Appending "/%2fanything.com/test/" to the host value resulted in embedding desired links to external hosts on the Opera domain.
Link hijacking leads to open redirection on accounts.yoyogames.com
Disclosed by mohammadowais- Engagement Opera Public Bug Bounty
- Disclosed date over 4 years ago
- Reward $100
- Priority P4 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
accounts.yoyogames.com -
Target category
API Testing
-
VRT
Unvalidated Redirects and Forwards > Open Redirect > GET-Based -
Priority
P4 -
Bug URL
accounts.yoyogames.com -
Description
Hi,
I found out that a logout's link can be hijacked and could lead to open redirection.
Proof of Concept.
Login to https://accounts.yoyogames.com/ from mobile or if will replicate this on Desktop, minimise your window a bit (about to a half) so that you will see navigation tabs.
Go to the affected URL:
https://accounts.yoyogames.com//%2fevil.com/test/Open "Logout" in new tab. You'll visit evil.com in new tab.
Additional Information
An endpoint like this:
https://accounts.yoyogames.com//%2fevil.com/test/; will reflect this in page source:<li><a data-controller="logout" data-action="logout#submitLogoutForm" href="//evil.com/test">Logout</a></li>This means the navigation link for logout will be set to attacker's controlled site.
Mere clicking on it will not result into redirection since logout doesn't happen with the GET request on /logout; opening the logout in new tab will lead victim to attacker's controlled site.Kind and Best Regards,
-MO