Open Redirect using redirect-uri parameter in the URL leads to Mass Information Disclosure of all sensitive Information collected during Verification.

Disclosed by
jeetbhdr
  • Program Undisclosed
  • Disclosed date over 1 year ago
  • Priority P5 Bugcrowd's VRT priority rating
  • Status Informational This vulnerability is seen as an accepted business risk
Summary by jeetbhdr

Open-Redirect using the redirect-uri parameter in the url overrides the original redirect url provided during Inquiry Creation.

Report details

  • Submitted

  • Target Location

    https://inquiry.withpersona.com

  • Target category

    Web App

  • VRT

    Unvalidated Redirects and Forwards > Open Redirect > GET-Based

  • Priority

    P5
  • Bug URL
    Empty
  • Description

    GET-Based Open Redirect and Mass Information Disclosure

    Overview of the Vulnerability

    Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A GET-based open redirect was identified which can impact users' ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.

    This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users' credentials or gain users' OAuth access by relaying them through an Open Redirection, to a server they control (and can see the inbound requests from).

    Business Impact

    GET-based open redirects can result in reputational damage for the business as customers' trust is negatively impacted by an attacker sending them to a phishing site to extract login credentials, or coercing them to send a financial transaction.

    Summary

    When we create an Inquiry we can specify where we want to redirect the user after they complete their verification.{Ofcourse a normal admin will redirect the user to their own page i.e "https://app.withpersona.com/dashboard/login"}.But i have found that i can bypass the redirect location provided during creation of Inquiry and insert my own malicious URL to redirect the users to malicious site. This is because there is no verification of the URL provided during Inquiry Creation and the URL present in redirect-uri parameter.Using this redirection i {as an attcker} can view all the information that the victim has submitted during the verification process that includes (SSN, Govt ID number , email etc).All this information will be available in the Referer Header on the GET request to your malicious site.

    Steps to Reproduce

    In order to Reproduce this issue you need to use my account. Because there is some changes which doesn't allow newly created account to "Create Inquiry".

    My email: jeetbhdr+8@bugcrowdninja.com
    My password: Testaccount01@

    1.Login to my account .

    2.Go to Inquiry .Click on Create Inquiry Select the "SSN Verification : Database" Template and click Create Inquiry and Intercept the request. In the Requests json body's attributes section insert
    "redirect-uri": "https://app.withpersona.com/dashboard/login"
    and send that Request .
    We have used "https://app.withpersona.com/dashboard/login" cause this is persona's login dashboard

    Screenshot_2022-09-17_22_12_34.png

    3.One Inquiry will be created .Copy the Inquiry link paste it in Incognito tab and complete the verification. You will see

    Screenshot_2022-09-17_22_17_15.png

    This page and when you click Done . YOu will be redirected to "https://app.withpersona.com/dashboard/login" if you haven't logged in or you will be in persona's dashboard if you are logged in.
    This was the normal flow of redirection.

    3.Now again create a Inquiry as mentioned in step 2 add the parameter etc.

    1. Now copy the Inquiry link and paste it in incognito tab . This time add the redirect-uri paramter in URL with your burp collaborator url [i don't have burp pro so i will be using interactsh web client to see requests that hits my site]. After you add the paramter and your collaborator url hit enter .

    Screenshot_2022-09-17_22_59_31.png

    5.Now verify the Inquiry and when you complete the Inquiry hit Done.You will be redirected to your collaborator site with a lots of sensitive data in the URL. ALso you can check the GET request's Referrer Header to your collaborator . It contains all the sensitive information which is submitted during verification.

    Screenshot_2022-09-17_23_06_41.png

    Impact

    Mass Information Disclosure using the Open Redirection. Initially i have marked it as Open Redirection but its a mass information leakage of Highly sensitive [SSN,Govt Id Number etc} data to any random sites.I request traiger and customer to Kindly change the severity because this effects the end-user directly .

    There should be a validation between the redirect-uri value that is provided during the Inquiry Creation and the redirect-uri value in the parameter it it matches the Inquiry verification should work as normal or else it must be aborted . Also you shouldn't leak all the verification details collected during the Inquiry verification while redirecting the user. It gets saved in the logs .

    I will post a POC video for easy Reproduction . Thank you for looking into my report.

Activity