+1 (512) 588 6950
Hi guys, Today, I’m gonna show you the Open Redirection vulnerability I found at Apple’s subdomain using the dot character.
I don’t have permission to publish this subdomain so I won’t publish it but you can think of it as a forum area where users are active. So I’ll call it “redacted” and let’s get started!
First of all, when we visit the redacted.apple.com subdomain, there is a login screen here and logging in is quite simple.
As you can see in the picture, the ?path= parameter is set to redirect to another page in the same subdomain in the section for choosing a nickname for users who log in for the first time.
This process will probably be redirected to “/welcome?login=true” for first-time users after all prerequisites have been completed correctly.
As I guessed, the redirect was redirecting to the specified page after choosing the username and uploading the avatar. Of course, I tried some payloads here primarily like https://evil.com & //evil.com etc.
Actually, what was interesting to me here was that after using the //evil.com payload, the response was /evil.com with a single ‘/’ character.
If you are using a payload like ?path=//evil.com then the following is expected: redacted.apple.com//evil.com
However, the response I got is as follows: redacted.apple.com/evil.com
In this case, I thought the only ‘/’ appended to the end was due to my payload, and I thought of just typing evil.com
The behavior I actually expected was to be redirected to a non-existent redacted.apple.comevil.com domain, but instead, I returned to “/welcome?login=true”. For most parameters, it would be okay to simply navigate to evil.com in the subdomain. (?path=evil.com > x.apple.com/evil.com)
Finally, an idea came to my mind and I hadn’t seen it anywhere before. I was thinking purely theoretically and was surprised to see that it was possible at Apple.
If we set the payload to .evil.com (ie ?path=.evil.com), “.” character will be appended to the end of redacted.apple.com and thus making it a subdomain of evil.com.
And here is the result we expect. Adding a dot character in front of the payload means that the “/” character is missing in some cases. This makes redacted.apple.com a subdomain of evil.com
This vulnerability was fixed by team and I was added the Apple Hall of Fame.
That’s all for now. Thanks for reading this far and I hope you liked it!