Open Redirect Vulnerability On Zapier: An Accidental Find

Open Redirect Vulnerabilities have been around for a long time now, finding one can either be extremely easy, or at the same time can be extremely difficult to find. Read on to find out how I found an Open Redirect Vulnerability on a popular automation application.

Report: Open Redirect Vulnerability

Program: Zapier Bug Bounty Program

Payout: $100

About The Vulnerability

Applications redirect user from one part of the website to another by using query parameters like ?next=url or ?to=url, let’s say a website xyz wants to redirect the user to his cart after logging in , we would see that the url would then be something like: www.xyz.com/login?next=%2Fcart, now what if I change the value of /cart to an another website not part of xyz? If not protected against open redirects, xyz will happily redirect to the website mentioned thus causing an Open Redirect. While redirecting xyz might even include the auth token in ?token= giving full account access to the attacker. You must have seen the popular “You are leaving our site” confirmation popups on popular websites.

Finding The Vulnerability

Zapier integrates with a ton of Websites and one day while I was working on my project, I was taken to Zapier to retrieve one of their templates, as I was logging in through my Google account I noticed the url which had a parameter ?next=template-id which would take me to the desired template after logging in.

I changed the template ID to https://google.co.in but that didn’t seem to bypass Zapier’s open redirect protection, so I decided to encode the URL like: https%3A%2F%2Fgoogle.co.in and the next thing I know, as soon as I logged in, I was redirected to the Google homepage. I immediately reported the flaw, and Zapier team reverted back quickly and confirmed that the vulnerability was now fixed and awarded me a bounty of $100!

PoC Video:

More about Open Redirects: https://portswigger.net/kb/issues/00500100_open-redirection-reflected

Zapier’s Bug Bounty Hall Of Fame: https://zapier.com/engineering/bug-bounty-hall-of-fame/

Until next time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store