WorldHealthOrganization / app

COVID-19 App

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Broken Link on who-covid-19-mobile-app's Vulnerability Submission Form on Hackerone

jaimaakali opened this issue · comments

Steps To Reproduce:

Visit https://hackerone.com/who-covid-19-mobile-app/reports/new?type=team&report_type=vulnerability

Click on Security Page.

After that, you'll be redirected to the 404 HackerOne page.

This will impersonate your security page and steal legitimate reports.

References:
https://edoverflow.com/2017/broken-link-hijacking

Similar report : https://hackerone.com/reports/1225299

POC video : recording-1624273892143.webm

@171217

Impact

New researchers can be further deceived if they click on the hijacked link.

A specific case might be for a malicious user to create a fake account on that broken redirection link and deceive researchers arriving on that link. For example, the attacker can ask the researcher to submit his report to him first and if he approves, then only he can submit it to your official page. In this way, it can cause huge damage to your company if a critical severity report is mis-directed to the attacker.

commented

This item has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.