21.01.2021 | Sebastian Schwegler | comment icon 1 Comment

Security advisory for open redirect in Vodafone components

Open redirect is a security vulnerability (CWE-601: URL redirection to untrusted site), that can be abused by attackers to forward users to dangerous pages.

A web application receives a query parameter with a location, which is normally some kind of internal resource or URL, and sends a HTTP response with status code 301 or 302 with the location query parameter as ‘Location’ header. The browser follows this redirect. An example of such an URL is https://www.example.org/verify?redirect=success.html

If the application is vulnerable to the open redirect vulnerability, an attacker can pass a malicious URL as redirect parameter: https://www.example.org/verify?redirect=www.evil-page.com

If a client clicks this link, he will be redirected to evil-page.com. If the domain example.org would belong to a trusted company or organization, attackers could use those in phishing mails to gain victims trust.

To prevent such a vulnerability, the redirect parameter needs to be checked.
We discovered such an open redirect vulnerability in one of Vodafones URLs that is used to verify customer emails. This is a serious security risk, because Vodafone uses this URL to verify legacy customers data, so no one would expect an redirect to a malicious page when receiving such an URL from Vodafone.

More details are available in the security advisory EXX-2021-01:

Advisory-EXX-2021-01

advisory open redirect phishing Security
  1. Bernhard
    Posted on
    It is unbelievable how carelessly some companies deal with their IT systems. I'm afraid they don't even know it's dangerous.

Leave a Comment