Tuesday, 11 February 2014

Reddit Open Rediect Vulnerability



A few weeks ago I was browsing BugCrowds List of Bug Bounty Programs for new bounties and noticed that reddit was now on the list. Seeing as I am an avid reddit reader, I thought it would be worth a try having a look around to see if I could identify any vulnerabilities. 

After some Google searching, utilising a couple techniques I normally use... and of course some trial and error, I landed myself at this particular URL which seemed fairly interesting: http://www.reddit.com/s/http://xml.php. From looking at the URL you can see that there is an opportunity for an open-redirect so I replaced 'http://xml.php' with 'http://www.bbc.co.uk' to see if it worked and unfortunately no redirect happened. I decided to not give up here and tried a few more URLs until finally when I tried 'http://www.theb9.com' the redirect was successful. I was not 100% sure why it was only redirecting to particular URLs, my original theory was that it was redirecting to URLs that had not been submitted to reddit before, however I still wasn’t sure and of course this was just a theory. To shed a bit of light on what was actually happening, the guy who replied to my original email, /u/kemitche, enlightened me on the matter, here is the email I received:

"To clarify exactly what was happening:
Visiting http://www.reddit.com/s/<url> would create an iframed (http://en.wikipedia.org/wiki/HTML_element#Frames) view of <url> with the reddit "toolbar." The purpose of the toolbar is to provide easy access to voting & comments pages for submitted URLs, but only for users who are logged in and have enabled it.

In general, the framed website can behave in one of 3 ways: (1) Do nothing / act normally. You'll see the page normally, with the reddit toolbar across the top. (2) Send an X-FRAME-OPTIONS header with a value of DENY. Browsers will refuse to load <url> in a frame, and the user would see the toolbar and a blank screen where the frame should be. (3) Use javascript framebusting (http://en.wikipedia.org/wiki/Framekiller) techniques to "break out" of being framed, and redirect the user to the main site, without the reddit toolbar.

Prior to fixing the vulnerability, a malicious site could use option (3) in conjunction with a link to http://www.reddit.com/s/<url> to, effectively, create an redirect from reddit to their website."

I immediately contacted reddit using the email address on their WhiteHat wiki page and let them know about the vulnerability. Around a week later I got an email back from /u/kemitche where he notified me that a fix had been implemented which involved disabling the framing present on that particular page and redirecting any URLs that had not been submitted previously, to the http://www.reddit.com/submit page. 

As a reward for my effort in identifying and reporting the vulnerability to reddit, I was awarded a White Hat trophy which now appears on my reddit profile.

No comments:

Post a Comment