Open Redirection - QR Code Magic

Summary :

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

The cybersecurity community doesn’t put enough emphasis on Open Redirect Vulnerabilities because it is considered a simple flaw commonly connected to phishing scams and social engineering.

Description :

I have found an Open Redirection vulnerability in one of the public program of YesWeHack but it went duplicate. The mobile application was using a QR Code scanner to track the consignments (check package details). After somewhat research I found a blog on how a QR Code functionality can be exploited. In the blog it was exploited to XSS but in my case I was only able to escalate it to an Open Redirection vulnerability.

Duplicate

QR Code Scanner Briefing :

A QR code scanner is an optical scanning device that is able to read QR codes. Now-a-days many applications are using this feature, so it can be used for browsing websites, checking address details, payments, adding users etc.

Many applications have restricted the use of this feature to limited things. For example, the QR Code Scanner is implemented in Google Pay so it will only be used for sending and receiving payments, you will not be able to use it to surf the internet and if this feature is implemented on any browser then you will be able to surf the internet and will not be able to make payments. In my case the company didn’t restrict the use of its functionality to only track consignments and that thing lead to Open Redirection vulnerability.

How I found this vulnerability ?

1. I registered on the target’s android application
2. Then I found the QR Code scanner feature

QR Code Scanner

3. I went to https://www.the-qrcode-generator.com/ to generate a custom QR Code for Open Redirection vulnerability

QR Code - Open Redirection

4. After generating the custom QR Code I scanned it with the scanner of target’s android application and it got redirected

Proof Of Concept (Use full screen to view) : https://drive.google.com/file/d/1eXUMu9ZzN9aAUJ8pEyMM5vZsn3wTJgnt/view?usp=sharing

Why this happen ?

In my opinion,

This happened due to no restriction on what to scan. The scan should have been restricted to only track consignments and not to scan URLs. The XSS did not happened because it was not supporting “javascript URI”.

Issue Escalations :

1. Open Redirection
2. XSS (https://payatu.com/blog/nikhil-mittal/firefox-ios-qr-code-reader-xss-%28cve-2019-17003%29)
3. SQLi (https://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php)

Impact :

An attacker can exploit this kind of and can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

Mitigation :

A proper fix would be having there company’s symbol in the QR Code just like WhatsApp and Instagram has it, so it will not scan any customize QR Code. Moving forward for another fix would be restricting the scan to its function only (track consignments in my case).