jackb898 (jackb898)
787

Reputation
-

Rank
2.19

Signal
71st

Percentile
13.24

Impact
78th

Percentile
201
#683298
XSS and Open Redirect on MoPub Login
StateResolved (Closed)
DisclosedSeptember 24, 2019 11:18pm +0000
Reported To
Twitter
Asset
mopub.com
(Domain)
WeaknessOpen Redirect
Bounty$1,540
Severity
No Rating (---)
Participantsjackb898petrillijwaddleandrewsorensenbugtriage-sophia
Visibility
  • Disclosed (Full)
Collapse
Timeline
jackb898
submitted a report to Twitter.
Aug 27th (2 months ago)

Summary: I found open redirect at the MoPub login page, https://app.mopub.com/login?next=https://google.com. It also allows javascript URIs, leading to XSS.

Description: You can modify the "next" URL parameter to redirect to any website upon logging in on MoPub.

Steps To Reproduce:

  1. Take this URL: https://app.mopub.com/login?next=https://google.com
  2. Change "https://google.com" to whatever URL you want to redirect to.
  3. Visit the URL and login
  4. You will be redirected to that site

Impact: Outlined in Impact section below

Supporting Material/References:

Here's a proof of concept using the URL javascript:alert("proof of concept"):

Impact

An attacker could use this for phishing, cookie jacking, etc. since it allows javascript URIs and therefore XSS vectors. Additionally, they could use URL encoding to hide the URL that the victim is being redirected to.

posted a comment.
Aug 28th (2 months ago)

Thank you for your report @jack898,

We were able to reproduce the behavior you described and will get back to you when we have more information.

Thank you for thinking of Twitter security.

changed the status to Triaged.
Aug 30th (2 months ago)

Thank you for your report. We believe it may be a valid security issue and will investigate it further. It could take some time to find and update the root cause for an issue, so we thank you for your patience.

Thank you for helping keep Twitter secure!

Twitter rewarded jackb898 with a $1,540 bounty.
Sep 4th (2 months ago)

Thanks again. As mentioned we’ll keep you updated as we investigate further. As a reminder, please remember to keep the details of this report private until we have fully investigated and addressed the issue.

posted a comment.
Sep 4th (2 months ago)

Thanks for the bounty! Will do.

closed the report and changed the status to Resolved.
Sep 9th (2 months ago)

We consider this issue to be fixed now. Can you please confirm?

Thank you for helping keep Twitter secure!

requested to disclose this report.
Sep 10th (2 months ago)

I can confirm it's fixed? Mind if I disclose this?

agreed to disclose this report.
Sep 24th (about 1 month ago)
This report has been disclosed.
Sep 24th (about 1 month ago)