Hi There,
Renganathan here.
This write-up is about the vulnerability that I found on Medium which will allow me to hack your medium account by phishing your FB, Twitter & Google credentials.
YES :P
A few months ago I saw Pratik Dabhi was listed in the medium hall of fame. So I was motivated to hunt bugs on Medium. I enumerated the subdomains and stopped there because my methodologies in earlier days were very outdated and I was not good at recon.
So I thought of giving it a try again.
I started with collecting the interesting parameters with Waybackurls, ParamSpider & Gau. simultaneously I was manually exploring the site and also spider the medium with the Burp Suite.
Then after some time, I was searching for the Open Redirection parameters like the below ones.
?next=?url=?target=?rurl=?dest=?destination=?redir=redirect_uri=?redirect_url=?redirect=/redirect/cgi-bin/redirect.cgi?{}/out//out??view=/login?to=?image_url=?go=?return=?returnTo=?return_to=?checkout_url=
And then I noticed an awesome parameter which was:
redirect=
I was like
But it was not just an open redirection. I changed the return path to attacker.com
When I clicked on Sign in with Twitter, I was redirected to attacker.com
This can lead to phishing like the below POC:
Edit: SSRF isn’t possible, and the logs contain my IP 0_0
TimeLine:
July 15, 2021 - Reported
July 18, 2021 - Patched by Internal Security Team
July 28, 2021 - Was asked how to get credited in humans.txt (Hall of fame)
July 29, 2021 - Got listed in Medium Hall of fame.
Thanks for reading :)
Stay Safe.