watermark logo

Unvalidated Redirects/ Open Redirect Vulnerability on VK Oauth Login

23 Views
admin
admin
03 Dec 2019

Hi VK,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting a serious
[3'rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called "Unvalidated_Redirects/ Open Redirect Vulnerability on VK Oauth Login".


Description of Vuln:
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the
web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input
to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server
name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.
Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s
access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Reference:

Unvalidated_Redirects/ Open Redirect Vulnerability:
1. https://www.owasp.org/index.ph....p/Unvalidated_Redire
2. http://www-01.ibm.com/support/....docview.wss?uid=swg2


Vuln Link: https://oauth.vk.com/authorize?client_id=-1&display=widget&redirect_uri=close.html&widget=4

POC url: https://oauth.vk.com/authorize?client_id=-1&display=widget&redirect_uri=https%3A%2f%2ffacebook.com&widget=4


Let's follow me,
1. Open Vuln Link in browser.
2. Change redirect_uri= to any site.
Now I try to https://google.com
3. press my user id and password for login,
5. And as you see I can redirect to any site.

Let's Check again with facebook.com
As you see, here redirect to anysite using this method.


Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue.
Resolve those issue as soon as possible.

Here is proof as video concept (unlisted): https://youtu.be/CD7aUZFaTFo

Thank you
Shaifullah Shaon (Black_EyE)
shaon.durjoy@gmail.com

Show more
0 Comments Sort By

No comments found

Facebook Comments

Up next

Open EBook LDAP Programming with Java (TM) online
00:21
Open EBook LDAP Programming with Java (TM) online
sarada
1 Views
Open EBook Murach s Java Programming online
00:20
Open EBook Murach s Java Programming online
sarada
1 Views
Open EBook Java Servlet Programming Bible online
00:21
Open EBook Java Servlet Programming Bible online
sarada
0 Views
Read Mastering Structured Data on the Semantic Web: From HTML5 Microdata to Linked Open Data
00:08
Read Mastering Structured Data on the Semantic Web: From HTML5 Microdata to Linked Open Data
sarada
1 Views
[PDF] Mastering Structured Data on the Semantic Web: From HTML5 Microdata to Linked Open Data
00:05
[PDF] Mastering Structured Data on the Semantic Web: From HTML5 Microdata to Linked Open Data
sarada
1 Views
Open EBook C++ Plus Data Structures online
00:20
Open EBook C++ Plus Data Structures online
sarada
1 Views
Open EBook Data Structures and Other Objects Using Java online
00:20
Open EBook Data Structures and Other Objects Using Java online
sarada
1 Views
Open Ebook Mobile Design Pattern Gallery: UI Patterns for Smartphone Apps online
00:20
Open Ebook Mobile Design Pattern Gallery: UI Patterns for Smartphone Apps online
sarada
3 Views
Open Ebook Head First Design Patterns online
00:24
Open Ebook Head First Design Patterns online
sarada
2 Views
Open EBook Design patterns : elements of reusable object-oriented software online
00:22
Open EBook Design patterns : elements of reusable object-oriented software online
admin
3 Views
Lakdi ki Kathi on open Channel
04:04
Lakdi ki Kathi on open Channel
sarada
2 Views
R. Kelly Interview Cold Open - SNL
00:07:37
R. Kelly Interview Cold Open - SNL
admin
4 Views
2004 U.S. Open: Goosen Holds Off Phil
00:02:02
2004 U.S. Open: Goosen Holds Off Phil
admin
4 Views
test with saml login
00:00:17
test with saml login
admin
7 Views
Peter Skopek - SAML and OAuth comparison, part 1
00:30:01
Peter Skopek - SAML and OAuth comparison, part 1
admin
5 Views
Citrix SAML Login without FAS
00:06:07
Citrix SAML Login without FAS
admin
5 Views
Install and configure IBM Notes client for federated login (SAML) on a PC workstation
00:04:39
Install and configure IBM Notes client for federated login (SAML) on a PC workstation
admin
25 Views
Single Sign On (SAML, WS-FED, OAuth) In Arabic
00:05:19
Single Sign On (SAML, WS-FED, OAuth) In Arabic
admin
5 Views
HYPR Passwordless Single Sign On SAML OAUTH
00:01:20
HYPR Passwordless Single Sign On SAML OAUTH
admin
10 Views