simpleanalytics / roadmap

File you bugs and feature requests here
24 stars 2 forks source link

Possible redirection to external website after login success #625

Closed xonnu closed 3 years ago

xonnu commented 3 years ago

Hello, I have found unauthorized redirect on https://simpleanalytics.com/login page where I can lead the user to my sample phishing page. (It may lead to account takeover when the user got baited)

Impact

Proof of concept URL: https://simpleanalytics.com/login?next=https://evil.audaxss.repl.co

Sample executions:

image image

How to execute the vulnerability:

  1. Go to https://simpleanalytics.com/login?next=https://your-evil-site.com
  2. Login your account.
  3. After you login, you will be redirected to the attacker website (according to the parameter next value.)
adriaandotcom commented 3 years ago

Hey @heychrono. I appreciate you looking into this.

Although the way you subscribe the issue people can do this, but why not redirect customers directly to that "evil" website as an attacker?

You still would need the emails of our customers. So I guess this is just a regular phishing email. Not much we can do about that within our tool.

Do you agree?

xonnu commented 3 years ago

Hello, thank you for your reply. Regarding to the statement you’ve said that an attacker would need the email account of your customer, this bug is only available when the user uses the password option. On the other hand, this bug is a threat to the users who always use the password option, like me who doesn’t want to open my email too often.

jibsaramnim commented 3 years ago

I too wonder if there is any difference to just sending a direct link to a fake but real looking login page in an attempt to bait the customer into entering their login information.

The only way this could possibly be used for anything potentially nefarious would be to somehow convince a customer to open a link the perpetrator has provided that contains a different site in the next value, rather than the official link, right? And even then no personal/login data would be transferred, and you'd somehow have to convince them to enter their login information once again (for example).

Unless I'm missing something —which is entirely possible— that just seems like attempting to have someone log in to a fake but real looking login page with unnecessary extra steps.

There's probably a case that can be made to have the successful login redirect not support full domain names, but I'm having a hard time seeing actual security implications.

What do you think?

xonnu commented 3 years ago

The issue here is the attacker will use your official website/domain to redirect the user to their phishing website.

Why not just use the direct link to the phishing site? Because it's more convincing for the victim to login —because they see that they are in the official domain/website— after the victim login, the victim will be redirected to the attacker’s site that shows a login error for example —The victim will think he/she mispelled something— , so the victim will login again, after logging in again the victim will be redirected again to the official site.

What happened? When the user logins to the attacker’s site, the user login data will be saved to the attacker’s website.

xonnu commented 3 years ago

I would like to add some cases, this bug can be execute when the user is already logged in, the victim will be automatically redirected to the attacker's website.

Scenario: When the victim click the link https://simpleanalytics.com/login?next=%2f%2f%65%76%69%6c%2e%61%75%64%61%78%73%73%2e%72%65%70%6c%2e%63%6f, the victim will be automatically redirected to the attacker's website —Phishing page may have some convincing message or dialogs to trick the victim (e.g. "user session end, please login again to continue.", "Security check, please login to your account to continue.", etc.)— without logging in on the official website because the victim was already logged in.

adriaandotcom commented 3 years ago

It makes it slightly more trustworthy to redirect via our own website, but it needs way too much luck to really get user data. That's why we decided to not pay for this "exploit". I appreciate you looking into this, but it's a whole different ballgame from the other exploit. I hope you understand!

xonnu commented 3 years ago

It’s alright, I just want to make the website secure for the users’ safety. Could you just fix it, please? So that I’d feel I’m at ease. Thanks!

Just wanna add this, Hackers can also troll the users: https://simpleanalytics.com/login?next=%2f%2f%73%68%6f%72%74%75%72%6c%2e%61%74%2f%72%75%4d%53%54

adriaandotcom commented 3 years ago

Haha, nice one. Fixed!