Closed Bug 1765917 Opened 2 years ago Closed 2 years ago

Open Redirection when using OAuth2 for authentication

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: senthamilboopathi, Assigned: dkl)

References

(
URL
)

Details

(Keywords: sec-low, wsec-redirect, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(3 files)

PoC results in error
298.20 KB, image/png
Details
OP.mp4
2.55 MB, video/mp4
Details
GitHub Pull Request
46 bytes, text/x-github-pull-request
Details | Review

Hello,

Thank you for your report.

I am not able to reproduce the issue. I get 404 not found error and the response also has an error parameter equals to invalid_redirect_uri as you can see from the screenshot.

Thanks,
Frida

Attached image PoC results in error
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Attached video OP.mp4

why did you close this report frida?
There is no bounty for Open redirection but I want to secure Mozilla that's why I submitted Open redirect but you close this report suddenly without asking anything from a reporter? its too unfair

Please submit additional evidence and detailed steps in reproduce in text (we do not prefer video attachments) and I'll happily reopen the bug if it is indeed valid.

Thanks,
Frida

step to reproduce:
copy the link and paste it into a new tab: https://bugzilla.mozilla.org/oauth/authorize?client_id=46ZcfPbH815zhnmUeyBw&scope=user%3Aread&redirect_uri=https%3A%2F%2Fbing.com&state=8bd3299c19271dfe661baf0e21d4c26aaaa0101f&response_type=code

redirect_uri parameter is vulnerable to open redirection.

redirect_uri=https%3A%2F%2Fbing.com
redirect_uri=https%3A%2F%2Fgoogle.com

(In reply to Boopathi from comment #6)

step to reproduce:
copy the link and paste it into a new tab: https://bugzilla.mozilla.org/oauth/authorize?client_id=46ZcfPbH815zhnmUeyBw&scope=user%3Aread&redirect_uri=https%3A%2F%2Fbing.com&state=8bd3299c19271dfe661baf0e21d4c26aaaa0101f&response_type=code

redirect_uri parameter is vulnerable to open redirection.

if you open a new tab it will ask for login credentials for Bugzilla
while you give valid credentials after login it will be redirected to bing.com

I

Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Group: websites-security → bugzilla-security
Status: REOPENED → NEW
Type: task → defect
Component: Other → General
Product: Websites → bugzilla.mozilla.org

Hello,

I can see the redirection now, when I used a valid state parameter, I was redirected to the error page since redirect_uri parameter is being validated. However, when submitting the request with an invalid state parameter or without the parameter, I am being redirected.

for example:

https://bugzilla.mozilla.org/oauth/authorize?client_id=46ZcfPbH815zhnmUeyBw&scope=user%3Aread&redirect_uri=https://duckduckgo.com

redirects to:

https://duckduckgo.com/?error=access_denied&error_description=resource+owner+denied+access

I have reopened and assigned the report.

Thanks,
Frida

Hello David,

Can you please take a look at this report?

Thanks,
Frida

Flags: needinfo?(dkl)
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Flags: needinfo?(dkl)

Hi team, any updates?

The team are aware of the bug and they are working on it. We will post updates here when we know more info.

Attached file GitHub Pull Request
Summary: Open Redirection → Open Redirection when using OAuth2 for authentication

The fix for this bug is now live in production. Please verify that this is fixed for you.

Flags: needinfo?(senthamilboopathi)

This is a Confirmation that the Open Redirect was not happening, I tested it, and it's not working anymore. I appreciate your excellent job!!!!

Flags: needinfo?(senthamilboopathi)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED

Hi David,

There is no HOF or Bounty in this report? Could you please check and confirm at the earliest.

Hello Boopathi,

Thank you for confirming the fix. We will discuss the report in the coming couple of weeks and let you know our decision.

Thanks,
Frida

Thanks, Frida
I hope good news comes from you.

We are awarding a Hall of Fame entry for this bug report. Thank you!

Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-

Yeah but it's not a normal open redirect, it's an Oauth2 open redirection, you can steal the victim's cookies and take over his/her account,

For Your Perusal I've attached a reference please take look and do the needful.
https://hackerone.com/reports/55525
https://hackerone.com/reports/665651

Hello Boopathi,

We already received a report regarding the Oauth authentication and it is not possible to take over the user's account in our case because we perform validation on the redirect_uri in both Bugzilla and Phabricator. Please refer to bug 1761594 for details.

Thanks,
Frida

Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: