How I could have hacked your medium account by phishing your FB, Twitter & Google credentials.
2021-07-30 01:29:11 Author: infosecwriteups.com(查看原文) 阅读量:53 收藏

Renganathan

Hi There,

Renganathan here.

This write-up is about the vulnerability that I found on Medium which will allow me to hack your medium account by phishing your FB, Twitter & Google credentials.

Medium Login

YES :P

A few months ago I saw Pratik Dabhi was listed in the medium hall of fame. So I was motivated to hunt bugs on Medium. I enumerated the subdomains and stopped there because my methodologies in earlier days were very outdated and I was not good at recon.

So I thought of giving it a try again.

I started with collecting the interesting parameters with Waybackurls, ParamSpider & Gau. simultaneously I was manually exploring the site and also spider the medium with the Burp Suite.

Burp Suite Spidering

Then after some time, I was searching for the Open Redirection parameters like the below ones.

?next=?url=?target=?rurl=?dest=?destination=?redir=redirect_uri=?redirect_url=?redirect=/redirect/cgi-bin/redirect.cgi?{}/out//out??view=/login?to=?image_url=?go=?return=?returnTo=?return_to=?checkout_url=

And then I noticed an awesome parameter which was:

redirect=

I was like

open redirection vro

redirect=

But it was not just an open redirection. I changed the return path to attacker.com

When I clicked on Sign in with Twitter, I was redirected to attacker.com

This can lead to phishing like the below POC:

https://youtu.be/sCrcv5Hn6mc

Edit: SSRF isn’t possible, and the logs contain my IP 0_0

TimeLine:

July 15, 2021 - Reported

July 18, 2021 - Patched by Internal Security Team

July 28, 2021 - Was asked how to get credited in humans.txt (Hall of fame)

Was asked how to get credited in humans.txt (Hall of fame)

July 29, 2021 - Got listed in Medium Hall of fame.

Thanks for reading :)
Stay Safe.

https://www.instagram.com/renganathanofficial/


文章来源: https://infosecwriteups.com/how-i-could-have-hacked-your-medium-account-by-phishing-your-fb-twitter-google-credentials-d53bf7096da7?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh