Hi guys, I have been gone for a while but now I’m back and here is a new write-up post. Today, I’m gonna show you the Open Redirection vulnerability I found at Apple’s subdomain using the dot character.

I don’t have a permission to publish this subdomain so I won’t publish it but you can think it as a forum area where users are active. So I’ll call it as “redacted” and let’s get started!

First of all, when we visit to the redacted.apple.com subdomain, there is a login screen here and logging in is quite simple.

As you can see in the picture, the ?path= parameter is set to redirect to another page in the same subdomain in the section for choosing a nickname for users who log in for the first time.

This process will probably be redirected to “/welcome?login=true” for first time users after all prerequisites have been completed correctly.

As I guessed, the redirect was redirecting to the specified page after choosing the username and uploading the avatar. Of course I tried some payloads here primarily like https://evil.com & //evil.com etc.

Actually, what was interesting to me here was that after using the //evil.com payload, the response was /evil.com with a single ‘/’ character.
If you are using a payload like ?path=//evil.com then the following is expected: redacted.apple.com//evil.com
However, the response I got is as follows: redacted.apple.com/evil.com

In this case, I thought the only ‘/’ appended to the end was due to my payload, and I thought of just typing evil.com

The behavior I actually expected was to be redirected to a non-existent redacted.apple.comevil.com domain, but instead I returned to “/welcome?login=true”. For most parameters it would be okay to simply navigate to evil.com in the subdomain. (?path=evil.com > x.apple.com/evil.com)

Finally an idea came to my mind and I hadn’t seen it anywhere before. I was thinking purely theoretically and was surprised to see that it was possible at Apple.

If we set the payload to .evil.com (ie ?path=.evil.com), “.” character will be appended to the end of redacted.apple.com and this making it a subdomain of evil.com.

And here is the result we expect. Adding a dot character in front of the payload means that the “/” character is missing in some cases. This makes redacted.apple.com a subdomain of evil.com

This vulnerability was fixed by team and I was added the Apple Hall of Fame.

That’s all for now. Thanks for reading this far and I hope you liked it!

You can follow me on twitter: https://twitter.com/canmustdie