URL redirect bug

[orthzar]

This issue is submitted as per this SN post.

Problem

First of all, this bug is severe, because it could be used to phish user credentials -- and SN accounts involve money.

Some SN pages currently redirect signed-in users to any URL. For instance, these two links will redirect you to Google:
https://stacker.news/signup?callbackUrl=https%3A%2F%2Fwww.google.com%2F
https://stacker.news/login?callbackUrl=https%3A%2F%2Fwww.google.com%2F

It would be trivial to send SN users emails, which contain links that seem legit, but which actually redirect them to a fake SN login page. The credentials harvested through such a page would be used to steal user funds. The only thing the attacker would need is SN user email addresses, which have been accidentally leaked once before.

The bug exists in pages/signup.js and pages/login.js. Both have a function getServerSideProps, which seems to not check the content of callbackUrl. The bug only affects users who are signed in, because the session variable has to be non-null in getServerSideProps for the redirect to work.

callbackURL is also mentioned in pages/settings.js, pages/invites/[id].js, and some files in the components folder. I have not looked at or tested those files.

Solutions

This bug could be solved by either eliminating the redirection functionality; or by checking the domain in callbackUrl (e.g. by only allowing redirects to stacker.news). I don't know which solution would be correct, because I don't know what purpose this redirection serves.

Sorry, I don't have any code to offer. I have no experience writing Javascript and there isn't enough time for me to learn.

[ekzyis]

Thanks for posting! I actually didn't see the SN post but saw this ticket here.
So thank you very much, I guess we would have totally missed it otherwise.

This is definitely an issue and we should warn users before redirecting them to external sites like many other sites do.

For example, clicking on this link shows a prompt before redirecting: https://www.google.com/url?q=https://www.bufferzonesecurity.com :

More info about open redirects here: https://bufferzonesecurity.com/open-redirection-what-is-this-phishing-technique-and-how-do-i-defend-against-it/

Therefore, an attacker could just create a very similar site that looks like SN to grab credentials from users who don't check the URL again. So I agree, this is indeed severe.

Fortunately, the fix should be easy by just validating the callback URL. Will create a PR in a few minutes.

[ekzyis]

Taking a more closer look, I realized that grabbing of credentials wasn't possible.

No login or signup method uses passwords on SN.

For example, using Lightning for authentication, a different pubkey would have been created since the domain name is included during key derivation.
I assume similar is true for Slashtags authentication.

Using Github and Twitter, a third-party authenticates the user.

With E-Mail, a link is sent to the address for signup and login.

So afaik, there was no possibility to grab user credentials and steal funds using this exploit. Users can't enter a password on a phishing site if they have none.

@huumn, @ShellInjector, @orthzar, do you come to the same conclusion?

But of course still thanks for creating this ticket! I think this was still a severe issue which may be used for other malicious stuff. We should definitely warn users when they leave SN when it's unexpected.

[ShellInjector]

Sure! there was no possibility to perform such advanced attacks , but if someone manage to escalate the issue to Cross site scripting or so . maybe there will be a scenario stealing Cookies or Interesting headers .

[huumn]

Alright fix deployed. Thank you everyone. I'll send you all some sats today.