Broken Link Hijacking - Mr. User-Agent

Jerry Shah (Jerry)
5 min readFeb 13, 2022

--

Summary :

Broken Link Hijacking (BLH) is a web-based attack where it exploits external links that are no longer valid. The attackers take over this expired, stale, and invalid external links on credible websites or web applications for malicious or fraudulent purposes.

If your company uses an external link shortening service, for example, to include short links in tweets, it may be possible that the link shortener goes out of business after some time and is no longer valid. This means that all your old links are now broken.

If an attacker purchases the domain used by the link shortening service that went out of business, they can substitute your original content with their own malicious content.

Description :

I found a different kind of broken link hijacking attack where only android mobile users were affected, though broken link hijacking was out of scope but I found this issue to be unique so I thought of writing a blog on it. When I visited the website I did not find any external link services like twitter, instagram, linkedin etc. and so I started testing for other vulnerabilities and switched my User-Agent using a firefox extension called User-Agent Switcher and observed that after changing the user-agent from default to Android Phone/Firefox the external link to Google Play Store was displayed so I clicked on it and it redirected me to https://play.google.com and gave me an error saying “We’re sorry, the requested URL was not found on this server.”

I saw the URL and there was an ‘id=’ parameter with the value of com.target.androidappname so I thought to takeover it but the problem was I did not had a developer account of google, so I purchased it and build an application with the package name as the ‘id’ parameter value.

So for example if you find this kind of issue where the playstore URL is https://play.google.com/store/apps/details?id=com.target.appname and you want to takeover it then while building an app in android studio for the playstore the package name should as same as you ‘id’ parameter value.

You can also use a tool called dead link checker to find broken link hijacking issues.

How I found this vulnerability ?

  1. I went to my target.com
Target

2. Then I switched the User-Agent from default to Android Phone/Firefox

Switch User-Agent Plugin - Firefox

3. After changing User-Agent, I reloaded the page and found a Google Play Store option below

Google Play Store

4. I clicked on Google Play and was redirected to play store with an error saying “We’re sorry, the requested URL was not found on this server.”

404 - Google Playstore

5. Then an app was created with the same package name as id (com.so_____.___am) and uploaded it on a playstore for a releasing it

Production

6. After some days my app was published on the playstore

Published

NOTE : The app is now removed from the playstore because it was only for a proof of concept.

What is a User-Agent and Why it is used ?

A user agent is any software, acting on behalf of a user, which retrieves, renders and facilitates end-user interaction with Web content. A user agent is therefore a special kind of software agent.

In HTTP, the User-Agent string is often used for content negotiation, where the origin server selects suitable content or operating parameters for the response. For example, the User-Agent string might be used by a web server to choose variants based on the known capabilities of a particular version of client software.

Why it happened ?

In my opinion,

It happened because the content of the User-Agent for a web browsers like firefox, Chrome etc. was served differently than that of a User-Agent of Android devices. By switching the User-Agents the content served was different which makes it an abnormal behaviour and led to broken link hijacking.

Impact :

It may not seem like much on the surface, but deep down, a broken link is doing some serious damage to your website, your reputation, and your business. A single broken link can impact your search engine rankings, your site’s user experience, result in lost customers and revenue, or, in worst case, all of the above. This kind of attacks can also lead to phishing scams.

Calculated CVSS :

Vector String - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Score - 3.6 (Low)

Mitigation :

There are three ways you can prevent this issue :

  1. Use short, simple, easy-to-read and easy-to-type URLs. When creating links to a specific page, product, event, download, or any other content on your website, make it easy for everyone involved.
  2. Check your links. Test them.
  3. Use a link checker.

Mitigation (In My Case):

The content should be served same on all the User-Agents and if the different content is being served then it should be checked by the above mentioned mitigations.

Special thanks to App Developer :

droppyy33

--

--

Jerry Shah (Jerry)
Jerry Shah (Jerry)

Written by Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Responses (6)