iodigital-com / SecretSanta

Secret santa is the #1 online gift exchange organizer. https://www.secretsantaorganizer.com
ISC License
129 stars 65 forks source link

Email redirects to phishing site when opened on a mobile device #572

Closed zackslash closed 5 months ago

zackslash commented 1 year ago

We have used this app in previous years but this year when emails are recieved and the "Find out your person" link on a mobile device is pressed it is redirecting participants to a Phishing site. This has been reported from multiple participants.

Note: This only seems to happen when the link is opened on a mobile device, it does not happen on desktop.

Note2: Canceling your party will stop participants who have not yet clicked the link from being redirected to the phishing site (instead they will recieve an error).

Screenshot
RubenHollevoet commented 1 year ago

hi @zackslash, thx for your report! I am investigating the issue but but wasn't able to reproduce it yet. My assumption would be that some 3th party tools (like corrupted browser plugins or other applications) on the device of the party creator have managed to infiltrate into the party details. As I understood the party has been removed for now so I am unable to have a closer look for this specific case. I assume you only had those experience for this specific party?

Anyhow, we will do some more research on this topic and take extra measurements to prevent such things from happening in the future.

zackslash commented 1 year ago

Hey @RubenHollevoet, Thanks for the quick response.

We have been able to replicate this on multiple iOS devices (multiple individuals across multiple geographical locations).

It seems to be replicable when creating any new party but only seems to redirect participants using iOS devices.

zackslash commented 1 year ago

I've had more reports that this is also happening on Android devices, so it does not seem limited to iOS.

Looking at the request flow; It seems like the redirect may be started by 'invoke.js', additionally; I tested blocking the domain 'highcpmcreativeformat.com' at DNS level and that stops the redirects to the phishing site from happening, so I suspect this URL could be publishing malicous code on your site.

There are multiple embeds of that site in this project, for example:

SecretSanta/templates/Participant/show/valid.html.twig:112

document.write('<scr' + 'ipt type="text/javascript" src="//www.highcpmcreativeformat.com/4e46a9746a54e456c0123bd2f828c7c5/invoke.js"></scr' + 'ipt>');
hvanoch commented 1 year ago

I can say I am currently experiencing the same. As well as my participants.

RubenHollevoet commented 1 year ago

Thanks for the extra investigation! I will get in touch with the ones who are able to redeploy. Hopefully it will be fixed soon

@tvlooy could you checkout b3ae08b?

tvlooy commented 1 year ago

disabled adsterra stuff and discussing with marketing people

JerrySievert commented 11 months ago

I'm getting reports from my parents of mobile asking for credit card information and claims of this being a paid service. neither have ad blockers on.

tvlooy commented 11 months ago

That's not good at all! Can you email your management page to? tom.vanlooy at iodigital dot com?