Over the last few years doing bug bounties, it's becoming more and more common for companies to reject reports about
Open Redirects. Once upon a time we could turn an open redirect to XSS by using the
attack vector these days would most likely fall under
Social Engineering. Again, 9 times out of 10, this vector would likely be out of scope.
So the question is, does anyone still care about
Open Redirects? Then answer is - probably not.
Here are two examples that were reported to Facebook over the last couple of years. Both reported and fixed but only one was eligible for a bounty.
Example 1 - Login flow - internalfb.com
The first was reported back in September 2020. The vulnerability worked as follows:
- Visit: https://www.internalfb.com/intern/login/?next=.ash-king.co.uk
- Enter a valid email address in the login form
- Click the Next button
- You will be redirected to `https://www.internalfb.com.ash-king.co.uk/` - a domain not controlled by Facebook
Overall the triage process was pretty straight forward. Accepted and moved to the product team 3 days later. The issue was then resolved within the month.
Facebook awarded a $500 bounty with a response of:
After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne.
It's possible to redirect users from our Intern login page to any site including evilzone.org (site blacklisted by linkshim)
Facebook acknowledged this was a security issue!
Example 2 - 2FA flow - facebook.com
The second example was reported back in December 2021. The vulnerability worked as follows:
- Log into Facebook with UserA
- Visit https://www.facebook.com/security/twofactor/reauth/?twofac_next=https%3A%2F%2Ftest.facebook-whitehat.com&type=avoid_bypass&app_id=0&save_device=0 as UserA
- Confirm your two factor authentication, in my case I used a Yubico usb key
- You will be redirected to test.facebook-whitehat.com - a blacklisted domain
You can see this action here:
Again, the triage process was pretty straight forward. Accepted and moved to the product team 5 days later. The issue was then resolved within the month.
Then I receive the following response:
Thanks for writing in.
We have discussed the issue at length and concluded that, whilst you reported a valid issue which the team may make changes based on, unfortunately your report falls below the bar for a monetary reward.
This is because even if linkshim is not applied here, the fact that the user requires interactions makes it non-exploitable for having enough security impact to qualify for our bug bounty program. I wish you luck in your continued bug hunting.
With that being said, it feels even the larger companies are no longer rewarding for these finds. For me, this tells me two things:
- Companies expect the end user to be clued up and keep track of the URLs they are on - lets not pretend that everyone understands what a web browser is, especially if an action on X site caused a redirect (auth)
- Companies rely on the web browser too much, what happens if chrome/firefox decide that
Open Redirectsare now
Just to add to this, I recently received a private invite for a
Hacker One Clear Program, the policy stated that open redirects are out of scope but the most frustrating part was that there was an open redirect on the login page! This was left unreported to save some reputation points but leaving the smallest vulnerabilities like this could have a huge knock on affect in the future if abused in mass.
I'd be interested to know anyone else's views / experience with Open redirects. Get in touch or leave a comment :)