{"id":248,"date":"2021-08-23T01:56:11","date_gmt":"2021-08-23T01:56:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=248"},"modified":"2021-08-23T01:56:11","modified_gmt":"2021-08-23T01:56:11","slug":"open-redirect-vulnerability-in-substack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=248","title":{"rendered":"Open Redirect Vulnerability in Substack"},"content":{"rendered":"<h2 class=\"wp-block-heading\">Summary<\/h2>\n<p>Substack had a open redirect vulnerability in their login flow which would have allowed an attacker to facilitate phishing attacks. The vendor has deployed a fix for this issue.<\/p>\n<h2 class=\"wp-block-heading\">Vulnerability Details<\/h2>\n<p>Substack is an online platform that allows users to create and operate free and paid subscription newsletters. This platform had an open redirect vulnerability in its login flow which would redirect users to any sites after login completed. This could have been used by an attacker to facilitate phishing attacks targeting Substack users and steal their credentials.<\/p>\n<p>The vulnerability was due to the fact that the \u201credirect parameter\u201d in the login flow wasn\u2019t been validated to make sure that the redirect only goes to a specific set of URLs. The attacker could specify their own redirect URL as follows:<\/p>\n<p>https:\/\/substack.com\/sign-in?redirect=<strong>https:\/\/www.google.com<\/strong><\/p>\n<p>See screenshots below:<\/p>\n<h2 class=\"wp-block-heading\">Vendor Response<\/h2>\n<p>Once a correct reporting channel was established, the issue was reported to the vendor and a fix was deployed limited the redirect parameter to Substack-specific URLs.<\/p>\n<h2 class=\"wp-block-heading\">References<\/h2>\n<p>CWE: <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/601.html\">CWE-601: URL Redirection to Untrusted Site (\u2018Open Redirect\u2019)<\/a><\/p>\n<p>OWASP: <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html\">Unvalidated Redirects and Forwards Cheat Sheet<\/a><\/p>\n<h2 class=\"wp-block-heading\">Timeline<\/h2>\n<p>2021-07-08: Initial contact with the vendor, asking for a correct reporting channel<br \/>2021-07-09: Initial reply received, confirming communication channe again \u2013 no response from the vendor<br \/>2021-07-13: Pinged again \u2013 no response; pinged company co-founders on Twitter<br \/>2021-07-13: Communication with the vendor re-established, technical details sent<br \/>2021-07-23: Pinged for status, no response<br \/>2021-07-29: Vendor responded that a fix has been implemented<br \/>2021-07-29: Fix confirmed, vendor pinged for disclosure coordination \u2013 no response<br \/>2021-08-22: Public disclosure<\/p>","protected":false},"excerpt":{"rendered":"<p>Summary Substack had a open redirect vulnerability in their login flow which would have allowed an attacker to facilitate phishing attacks. The vendor has deployed a fix for this issue. Vulnerability Details Substack is an online platform that allows users to create and operate free and paid subscription newsletters. This platform had an open redirect [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":249,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-248","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/248"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=248"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/248\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/249"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}