Responsible Disclosure: arXiv - redirect on login

Suppose you are sent a link to a website - e.g. https://example.com/page/1234

But, before you can access it, you need to log in. So the website redirects you to: https://example.com/login?on_success=/page/1234

If you get the password right, you go to the original page you requested. Nice!

But what happens if someone manipulates that query string? Suppose an adversary sends you a link like this:

https://example.com/login?on_success=https://evil.com

A sensible redirection system should say "Hang on a minute! Only internal redirections are allowed. I'd better stop this tomfoolery."

Sadly, that's not always the case. Take, for example, arXiv.org - a website for academics and researchers to share papers.

I discovered that a URl like this - https://arxiv.org/login?next_page=https://example.com/ - would redirect a logged in user to any external site.

A malicious user could redirect users to a phishing page https://arxiv.org/login?next_page=http://arxiv-login-info.xyz/ - and steal their credentials. Or send them to a site with malware etc.

The fix is pretty simple. Any redirection logic should ensure that users can only be redirected to an internal page not an external site.

Timeline

• 2023-04-18 - discovered. Opened a bug on GitHub asking for a way to privately disclose. Shortly afterwards, I received an email address and sent my findings.
• 2023-04-19 - Sent a screencast showing the open redirect. Issue confirmed by the developer.
• 2023-04-24 - a fix was proposed which solved some of the issues but not all of them.
• 2023-05-02 - final fix pushed
• 2023-05-19 - this post automatically published.