Open Redirect Vulnerability on Login Page

[Sandiipmaity]

Confirmation

• [X] My issue isn't already found on the issue tracker.
• [X] I have read the Subscan API documentation (if it seemed to be an API bug).

Affected Network(s)

https://pro.subscan.io/

Steps to reproduce

An Open Redirect is a vulnerability that occurs when a web application accepts untrusted input that specifies a URL, and then redirects the user's browser to that URL without proper validation. This flaw allows attackers to manipulate the redirect URL and send users to malicious or unintended websites.

I Find this open redirect vulnerability on the login page of https://pro.subscan.io/, specifically in the redirect parameter. By manipulating this parameter, an attacker can redirect users to an external malicious site (such as https://www.attcker.com/), potentially facilitating phishing attacks, credential theft, or other malicious activity.

Steps to reproduce

1. Open the browser and navigate to the following URL: https://pro.subscan.io/login?redirect=https%3A%2F%2Fwww.evil.com%2F
2. Enter valid login credentials and submit the form.
3. Observe that after submitting the login form, the browser redirects the user to https://www.evil.com/ a malicious site.

Expected output

Suggested Mitigation:

1. Validate the redirect Parameter: Ensure that the redirect parameter only accepts URLs within the same domain or a list of trusted domains.

• Example: Restrict the redirect parameter to https://pro.subscan.io or other allowed subdomains (e.g., *.subscan.io).

2. URL Whitelisting: Implement a whitelist of approved redirect URLs. Only allow redirects to a small set of trusted internal URLs (e.g., paths like /dashboard, /profile, etc.).

3. Sanitize Input: If the redirect is necessary for functionality, sanitize and validate all user-provided input to ensure it doesn’t lead to external sites.

4. User Warning: If redirection to an external URL is necessary (in certain cases), provide a clear warning to the user, asking for confirmation before redirecting them to a third-party site.

Actual output

Risk: The risk posed by this open redirect vulnerability is significant, as it can lead to phishing attacks, loss of user trust, and potential exposure to malware. It's recommended to address this issue as soon as possible.

The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker-controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site.

Additional factoids or references

let me know if you need more information need Contact email - maitysandip925@gmail.com

Best regards, Sandip Bug Hunter / Security Researcher

[WoeOm]

Thanks for reporting this security issue, we will fix it in the next update.

[Sandiipmaity]

Dear Subscan Security Team,

Thank you for your prompt response and for acknowledging the security issue I reported. I’m glad to hear that the vulnerability will be fixed in your next update.

I want to express that my motivation for reporting this vulnerability stems from a deep passion for cybersecurity and the desire to help organizations like yours stay secure. I believe in the importance of contributing to the security community and supporting safe online environments.

Although I am aware that Subscan currently does not have a formal bug bounty program, I would like to humbly ask if there’s any possibility for a monetary reward in recognition of my efforts. Such a reward would greatly assist me in pursuing my higher education and would provide significant motivation to continue working toward securing other organizations just as I have done with yours.

Thank you once again for your consideration, and please feel free to reach out if you require further assistance with this or future security matters.

Looking forward to seeing the fix implemented.

Best regards, Sandip Bug Hunter / Security Researcher

[yakio]

Dear @Sandiipmaity ,

Thank you once again for bringing this important security issue to our attention. We are pleased to inform you that the open redirect vulnerability you reported has been successfully fixed in our latest update. We truly appreciate your efforts in helping us improve the security of our platform.

While we currently do not have a formal bug bounty program in place, we would like to acknowledge your contribution. Please provide us with your Polkadot account, and should we implement a reward program in the future, we will ensure you are included and contacted accordingly.

We value your commitment to cybersecurity and look forward to collaborating with you again in the future. Thank you for helping make Subscan a safer platform.

Best regards, Yakio | Subscan

[Sandiipmaity]

Dear Subscan Security Team,

Thank you for your kind response and for acknowledging the security issue I reported. I appreciate your willingness to include me in any future reward programs.

And here is my Polkadot account address : 5FWR5P58sYFgeB456aaPHkYAgwaKCFhwzm82Bi3FWEbWCX3t

I want to share that I have reported vulnerabilities to other companies like yours, but unfortunately, some have not responded at all. In some cases, I noticed that they fixed the issues within a few days without acknowledging my efforts, which was quite disheartening. Therefore, it truly means a lot to me that you appreciate my work and are taking action to fix the issue.

Thank you once again for your time, and I look forward to potentially collaborating with you in the future. Should you need any further assistance or input regarding security matters, please don’t hesitate to reach out.

Best regards, Sandip

[Sandiipmaity]

Dear Subscan Security Team,

I hope this message finds you well. I want to sincerely apologize for the mistake in my previous message where I provided the wrong Polkadot address.

Here is my correct Polkadot account address: 14SiDiLCjKXA5i4b4DdPRuNKYZZxtZG65FrWM12c4Kd2NntJ

Best regards, Sandip