Open Redirect Vulnerability on Login Page

[Sandiipmaity]

Confirmation

• [X] My issue isn't already found on the issue tracker.
• [X] I have read the Subscan API documentation (if it seemed to be an API bug).

Affected Network(s)

https://pro.subscan.io/

Steps to reproduce

An Open Redirect is a vulnerability that occurs when a web application accepts untrusted input that specifies a URL, and then redirects the user's browser to that URL without proper validation. This flaw allows attackers to manipulate the redirect URL and send users to malicious or unintended websites.

I Find this open redirect vulnerability on the login page of https://pro.subscan.io/, specifically in the redirect parameter. By manipulating this parameter, an attacker can redirect users to an external malicious site (such as https://www.attcker.com/), potentially facilitating phishing attacks, credential theft, or other malicious activity.

Steps to reproduce

1. Open the browser and navigate to the following URL: https://pro.subscan.io/login?redirect=https%3A%2F%2Fwww.evil.com%2F
2. Enter valid login credentials and submit the form.
3. Observe that after submitting the login form, the browser redirects the user to https://www.evil.com/ a malicious site.

Expected output

Suggested Mitigation:

1. Validate the redirect Parameter: Ensure that the redirect parameter only accepts URLs within the same domain or a list of trusted domains.

• Example: Restrict the redirect parameter to https://pro.subscan.io or other allowed subdomains (e.g., *.subscan.io).

2. URL Whitelisting: Implement a whitelist of approved redirect URLs. Only allow redirects to a small set of trusted internal URLs (e.g., paths like /dashboard, /profile, etc.).

3. Sanitize Input: If the redirect is necessary for functionality, sanitize and validate all user-provided input to ensure it doesn’t lead to external sites.

4. User Warning: If redirection to an external URL is necessary (in certain cases), provide a clear warning to the user, asking for confirmation before redirecting them to a third-party site.

Actual output

Risk: The risk posed by this open redirect vulnerability is significant, as it can lead to phishing attacks, loss of user trust, and potential exposure to malware. It's recommended to address this issue as soon as possible.

The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker-controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site.

Additional factoids or references

let me know if you need more information need Contact email - maitysandip925@gmail.com

Best regards, Sandip Bug Hunter / Security Researcher

[WoeOm]

Thanks for reporting this security issue, we will fix it in the next update.

[Sandiipmaity]

Dear Subscan Security Team,

Thank you for your prompt response and for acknowledging the security issue I reported. I’m glad to hear that the vulnerability will be fixed in your next update.

I want to express that my motivation for reporting this vulnerability stems from a deep passion for cybersecurity and the desire to help organizations like yours stay secure. I believe in the importance of contributing to the security community and supporting safe online environments.

Although I am aware that Subscan currently does not have a formal bug bounty program, I would like to humbly ask if there’s any possibility for a monetary reward in recognition of my efforts. Such a reward would greatly assist me in pursuing my higher education and would provide significant motivation to continue working toward securing other organizations just as I have done with yours.

Thank you once again for your consideration, and please feel free to reach out if you require further assistance with this or future security matters.

Looking forward to seeing the fix implemented.

Best regards, Sandip Bug Hunter / Security Researcher