How I found a VULNERABILITY in developers.hive.io

in LeoFinance3 years ago (edited)

Good day, everyone!

Atharv here from India. In hive.io, I discovered a security flaw. As a result, I decided to create a blog post about it.

A vulnerability I'll discuss isn't new; it's a well-known pattern among web developers. However, not many people considered it from a security standpoint, and I had never seen it discussed in any security paper, so I decided to bring it up.

What is an Open Redirect?
As a result, we should already be familiar with the term "open redirect." If you don't know, it's when an unauthorized person can set any value as a redirect destination. Consider the following “legitimate” redirect chain:
https://example.com/login?redirectUrl=https://app.example.com

Which leads to app.example.com in the end.But what if someone malforms this url into following:
https://example.com/login?redirectUrl=https://evil.com

You'll notice that the end destination has changed from app.example.com to evil.com. It's an open redirect vulnerability if the web app allows that URL change and we're eventually redirected to https://evil.com. This behaviour could be used with other vulnerabilities like SSRF to perform phishing attacks or steal access tokens from authentication flows. There are numerous things that can be done

Vulnerable URL : https://developers.hive.io//evil.com/..;/css

I reported this bug immediately to hive security. After a few days, The hive security team was able to resolve the issue.

Some dorks to finding Open redirection Vulnerability:

open R.png

Please upvote if you learn something :)

Thanks.

Sort:  

Hello Atharv, Nice to see you here man. Thanks for contributing to Hive.io's security. While there are people who are stealing funds from other's accounts, we have people like you who are safeguarding this place with their skills and knowledge.

Welcome to Hive! I Have noticed that you didn't make your Introductory post. It would be great to know you a little bit more and what you exactly do. Make sure you use the #introduceyourself tag while making it. It will help you get some more attention.

Btw, I am from India too. Looking forward to reading your future posts. ✌🚀 Hive can use more talented people like you.

Posted Using LeoFinance Beta

Hello Finguru,
I am Atharv currently working as a security researcher. I am from Pune, Maharashtra.
Where are you from?

I am from New Delhi. Working as a freelance social marketer. ✌️

Do more of these posts!

Posted Using LeoFinance Beta

What a good technical eye friend, thanks for your contribution ...

Congratulations @hacktax! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You received more than 50 upvotes.
Your next target is to reach 100 upvotes.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Check out the last post from @hivebuzz:

Hive Power Up Month - Feedback from Day 7

Welcome to Hive, and thanks so much for helping to protect this wonderful place :) I hope to see you here often :)

#dreemer

!PIZZA and !ALIVE

You Are Alive and have been rewarded with 0.1 ALIVE tokens from the We Are Alive Tribe, and it's paid for by the earnings on @alive.chat, swing by our daily chat any time you want.