An open(ish) redirect on Mastodon


Cartoon of a tusked mastodon holding a phone.

I've responsibly disclosed a small security issue with Mastodon (GHSA-8982-p7pm-7mqw). It allows a sufficiently determined attacker to use any Mastodon instance to redirect unwary users to a malicious site. What do you think happens if you visit: https://mastodon.social/@PasswordReset/111285045683598517/admin? If you aren't logged in to that instance, it will redirect you to a 3rd party site. Try opening it in a private browser window. Here's another, less convincing, demo: …

Continue reading →

Responsible Disclosure: arXiv - redirect on login


A padlock engraved into a circuit board.

Suppose you are sent a link to a website - e.g. https://example.com/page/1234 But, before you can access it, you need to log in. So the website redirects you to: https://example.com/login?on_success=/page/1234 If you get the password right, you go to the original page you requested. Nice! But what happens if someone manipulates that query string? Suppose an adversary sends you a link like this: https://example.com/login?on_success=https://evil.com A sensible redirection system should say…

Continue reading →

Responsible Disclosure: Abandoned Buckets and Billing Emails


Error saying the bucket does not exit.

A few weeks ago, I received a billing email from my phone provider O2. While glancing at it, I noticed all the images were broken. Viewing the source of the email showed that they were all coming from http:// mcsaatchi-email-preview.s3.amazonaws.com/o2/... What happens if we visit that domain? Ah, the dreaded "The specified bucket does not exist" error. At some point the images were served from that domain but someone deleted the bucket. This is a problem. Amazon doesn't reserve…

Continue reading →

Responsible Disclosure: XSS in Codeberg Pages


An XSS pop up alert on a webpage.

Codeberg is a hip new code hosting site - similar to GitHub and GitLab. And, much like Gits Hub & Lab, users can serve static content through Codeberg pages. Somehow I screwed up my configuration, and when I visited edent.codeberg.page/abc123 I got this error: Now, whenever I see something from the request echoed into the page's source, my hacker-sense starts tingling. What happens if I shove an innocent HTML element into the URl? edent.codeberg.page/abc<em>123 Aha! It lets through…

Continue reading →

What's the most malicious thing you can do with an injected HTML heading element?


The HTML5 Logo.

A bit of a thought experiment - similar to my Minimum Viable XSS and SVG injection investigations. I recently found a popular website which echoed back user input. It correctly sanitised < to &lt; to prevent any HTML injection. Except… It let through <h2> elements unaltered! Why? I suspect because the output was: &lt;h2&gt;Your search for ... returned no results&lt;/h2&gt; And, somehow, the parser was getting confused. OK, what can we do with this little vector? The first thought is to u…

Continue reading →

Responsible Disclosure: An Exam Board Touting Dodgy PDFs


Screenshot of some Javascript embedded in a page.

I hate academic tests. Wouldn't it be great if you could find the official answer papers? Oh, cool, the OCR Exam Board is hosting answer sheets for all my classes! What happens if I click it? Yeach! It redirects users to a scammy ebook service hosted on an external website. Which, I assume, the exam board does not endorse. Alongside exam books, textbooks, literary classics - there's a bunch of material which probably isn't suitable for school… If you visit the root of the domain, it s…

Continue reading →

Responsible Disclosure: Chrome security bug let tabs draw over each other ($1k bounty)


The Google Logo.

Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to download and installed a spoofed app. See Chrome Bug #1242315 for details. Demo Here's a video of me on one site (Twistory.ml) opening a link to Twitter in a new tab. Twitter's mobile site contains a Web Manifest which should prompt the user to install an app. Rather than displaying this…

Continue reading →

Full Disclosure: XSS in Getty Images


Javascript popup on the Getty Images website.

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users - and users need to be aware that the content they see on Getty Images sites may have been tampered with. This XSS was slightly unusual. When a user submits …

Continue reading →

Responsible Disclosure: [REDACTED] XSS


A pop-up on a website. The HTML code shows the data has been injected.

Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years. The [REDACTED] website had a subdomain which was running KANA's IQ software which was last updated in 2010. At least, that's judging by the fact it ran jQuery 1.4.4. Most routes into the site…

Continue reading →

Responsible Disclosure - John Lewis


John Lewis Website with a big circle drawn on it.

The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all. Let's talk about the humble <meta> element. As its name suggests, it contains metadata about the document. A typical element might look like this: <meta name="description" content="Search our shop for great deals!"> What can the content tag contain? Text!…

Continue reading →

Even Google forgets to renew its domains


Domain showing as available to purchase.

tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn't be used for anything important, and -…

Continue reading →

€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!


Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed up to Intigriti, and instantly received a confirmation email. Can you guess where you go if you click the big "Activate Account" button? I think that's the first time…

Continue reading →