Open Redirection when using OAuth2 for authentication
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
People
(Reporter: senthamilboopathi, Assigned: dkl)
References
()
Details
(Keywords: sec-low, wsec-redirect, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(3 files)
Open Redirection on https://bugzilla.mozilla.org
Users can be redirected to a malicious site:
or
after successful login, the user can be redirected to malicious website.
I hope you know the impact of open redirect and for more info refer
https://cwe.mitre.org/data/definitions/601.html
Impact:
Users can be redirected to malicious sites.
Comment 1•2 years ago
•
|
||
Hello,
Thank you for your report.
I am not able to reproduce the issue. I get 404 not found error and the response also has an error parameter equals to invalid_redirect_uri as you can see from the screenshot.
Thanks,
Frida
Comment 2•2 years ago
|
||
Updated•2 years ago
|
Reporter | ||
Comment 3•2 years ago
|
||
Reporter | ||
Comment 4•2 years ago
|
||
why did you close this report frida?
There is no bounty for Open redirection but I want to secure Mozilla that's why I submitted Open redirect but you close this report suddenly without asking anything from a reporter? its too unfair
Comment 5•2 years ago
|
||
Please submit additional evidence and detailed steps in reproduce in text (we do not prefer video attachments) and I'll happily reopen the bug if it is indeed valid.
Thanks,
Frida
Reporter | ||
Comment 6•2 years ago
|
||
step to reproduce:
copy the link and paste it into a new tab: https://bugzilla.mozilla.org/oauth/authorize?client_id=46ZcfPbH815zhnmUeyBw&scope=user%3Aread&redirect_uri=https%3A%2F%2Fbing.com&state=8bd3299c19271dfe661baf0e21d4c26aaaa0101f&response_type=code
redirect_uri parameter is vulnerable to open redirection.
redirect_uri=https%3A%2F%2Fbing.com
redirect_uri=https%3A%2F%2Fgoogle.com
Reporter | ||
Comment 7•2 years ago
|
||
(In reply to Boopathi from comment #6)
step to reproduce:
copy the link and paste it into a new tab: https://bugzilla.mozilla.org/oauth/authorize?client_id=46ZcfPbH815zhnmUeyBw&scope=user%3Aread&redirect_uri=https%3A%2F%2Fbing.com&state=8bd3299c19271dfe661baf0e21d4c26aaaa0101f&response_type=coderedirect_uri parameter is vulnerable to open redirection.
if you open a new tab it will ask for login credentials for Bugzilla
while you give valid credentials after login it will be redirected to bing.com
Updated•2 years ago
|
Comment 9•2 years ago
|
||
Hello,
I can see the redirection now, when I used a valid state parameter, I was redirected to the error page since redirect_uri parameter is being validated. However, when submitting the request with an invalid state parameter or without the parameter, I am being redirected.
for example:
https://bugzilla.mozilla.org/oauth/authorize?client_id=46ZcfPbH815zhnmUeyBw&scope=user%3Aread&redirect_uri=https://duckduckgo.com
redirects to:
https://duckduckgo.com/?error=access_denied&error_description=resource+owner+denied+access
I have reopened and assigned the report.
Thanks,
Frida
Comment 10•2 years ago
|
||
Hello David,
Can you please take a look at this report?
Thanks,
Frida
Assignee | ||
Updated•2 years ago
|
Reporter | ||
Comment 11•2 years ago
|
||
Hi team, any updates?
Comment 12•2 years ago
|
||
The team are aware of the bug and they are working on it. We will post updates here when we know more info.
Assignee | ||
Comment 13•2 years ago
|
||
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 14•2 years ago
|
||
Merged to master and deploying fix today.
https://github.com/mozilla-bteam/bmo/commit/c93b0357f02fde3c485f54c9ebe5c94daa9c4446
Assignee | ||
Comment 15•2 years ago
|
||
The fix for this bug is now live in production. Please verify that this is fixed for you.
Reporter | ||
Comment 16•2 years ago
|
||
This is a Confirmation that the Open Redirect was not happening, I tested it, and it's not working anymore. I appreciate your excellent job!!!!
Assignee | ||
Updated•2 years ago
|
Reporter | ||
Comment 17•2 years ago
|
||
Hi David,
There is no HOF or Bounty in this report? Could you please check and confirm at the earliest.
Comment 18•2 years ago
|
||
Hello Boopathi,
Thank you for confirming the fix. We will discuss the report in the coming couple of weeks and let you know our decision.
Thanks,
Frida
Reporter | ||
Comment 19•2 years ago
|
||
Thanks, Frida
I hope good news comes from you.
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment 23•2 years ago
|
||
We are awarding a Hall of Fame entry for this bug report. Thank you!
Reporter | ||
Comment 24•2 years ago
|
||
Yeah but it's not a normal open redirect, it's an Oauth2 open redirection, you can steal the victim's cookies and take over his/her account,
Reporter | ||
Comment 25•2 years ago
|
||
For Your Perusal I've attached a reference please take look and do the needful.
https://hackerone.com/reports/55525
https://hackerone.com/reports/665651
Comment 26•2 years ago
|
||
Hello Boopathi,
We already received a report regarding the Oauth authentication and it is not possible to take over the user's account in our case because we perform validation on the redirect_uri in both Bugzilla and Phabricator. Please refer to bug 1761594 for details.
Thanks,
Frida
Updated•2 years ago
|
Updated•1 year ago
|
Description
•