Page MenuHomePhabricator
Create Task
Maniphest T395195

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Closed, ResolvedPublicSecurity
Actions

Assigned To
None
Authored By
Speedios999
May 24 2025, 8:44 PM
Tags
Referenced Files
F60509876: image.png
May 25 2025, 4:23 PM
F60509856: image.png
May 25 2025, 4:23 PM
F60509819: image.png
May 25 2025, 4:23 PM
F60509808: image.png
May 25 2025, 4:23 PM
F60509762: image.png
May 25 2025, 4:23 PM
F60509722: image.png
May 25 2025, 4:23 PM
F60509672: image.png
May 25 2025, 4:23 PM
F60509636: image.png
May 25 2025, 4:23 PM
View All 11 Files
Subscribers
Aklapper
Bawolff
Ejegg
greg
sbassett
Speedios999

Description

Steps to replicate the issue (include links if applicable):

1- Go to https://donate.wikimedia.org

image.png (1×1 px, 155 KB)

2- Select any amount to donate And Click Donate By Credit Card
image.png (1×1 px, 162 KB)

3- Type your data to process
image.png (1×1 px, 105 KB)

4- Intercept the request in Burp Suite And Click Donate
image.png (997×877 px, 29 KB)

image.png (1×1 px, 108 KB)

5- Forward all requests until you see https://payments.wikimedia.org/api.php POST request
image.png (1×905 px, 110 KB)

6- Intercept the response of this request
image.png (1×780 px, 111 KB)

7- Manipulate the response to {"warnings":{"main":{"*":"Unrecognized parameter: gateway_session_id."}},"result":{"iframe":null,"redirect":"https://embed.wikimedia.gr4vy.app/start-method.html?authUrl=https://api.wikimedia.gr4vy.app/three-d-secure-auth?&redirectUrl=https://evil.com","formData":[],"isFailed":false}}
image.png (941×1 px, 178 KB)

8- Forward the Response And Stop interception
image.png (52×211 px, 1 KB)

What happens?
You will redirect to https://evil.com
image.png (1×1 px, 68 KB)

What should have happened instead?
Must redirect to https://payments.wikimedia.org/index.php?title=Special:GravyGatewayResult&order_id=* not any url
image.png (1×1 px, 69 KB)

A full link to a web address where the issue can be seen:
You can use the redirect Without These Steps: https://embed.wikimedia.gr4vy.app/start-method.html?authUrl=https://api.wikimedia.gr4vy.app/three-d-secure-auth?&redirectUrl=https://evil.com

the web browser(s) and web browser version(s) that you tested:
Firefox And Chrome Latest Versions

Details

Risk Rating
Low
Author Affiliation
Other (Please specify in description)
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add Speedios999 to security.wikimedia.org hall of fameoperations/deployment-chartsmaster+1 -1
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Add Speedios999 to Wikimedia security hall of famerepos/sre/miscweb/security-landing-page!15sbassettT395195-add-Speedios999master
Customize query in GitLab

Event Timeline

Speedios999 created this task.May 24 2025, 8:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 24 2025, 8:44 PM
Aklapper changed the task status from Open to Stalled.May 25 2025, 12:56 AM

Hi @Speedios999, thanks for taking the time to report this! Unfortunately this Wikimedia Phabricator task lacks some information.
If you have time and can still reproduce the situation: Please add a more complete description to this task. That should be

  • a clear and complete list of exact steps to reproduce the situation, step by step, so that nobody needs to guess or interpret how you performed each step,
  • what happens after performing these steps to reproduce,
  • what you expected to happen instead,
  • a full link to a web address where the issue can be seen,
  • the web browser(s) and web browser version(s) that you tested.

You can edit the task description by clicking Edit Task. Ideally, a good description should allow any other person to follow these steps (without having to interpret steps) and see the same results. Problems that others can reproduce can get fixed faster. Thanks again!

Speedios999 renamed this task from Open Redirect Vulnerability to CWE-601: URL Redirection to Untrusted Site ('Open Redirect').May 25 2025, 4:23 PM
Speedios999 claimed this task.
Speedios999 reassigned this task from Speedios999 to Aklapper.
Speedios999 added a project: Vuln-OpenRedirect.
Speedios999 updated the task description. (Show Details)
Speedios999 added a comment.May 25 2025, 4:26 PM

Updated.

Bawolff removed Aklapper as the assignee of this task.May 25 2025, 5:46 PM
Bawolff subscribed.

Generally if you have to intercept and modify the http responses in transit, its not a real security vuln. Are you able to do this without launching a man in the middle attack?

Speedios999 added a comment.May 25 2025, 6:15 PM

Yes, I can use this link to make victim redirect to my website Via Trusted Wikimedia Domain

https://embed.wikimedia.gr4vy.app/start-method.html?authUrl=https://api.wikimedia.gr4vy.app/three-d-secure-auth?&redirectUrl=https://evil.com

Aklapper added a comment.May 25 2025, 6:38 PM

Yes, I can use this link to make victim redirect to my website Via Trusted Wikimedia Domain

That link does not call any Trusted Wikimedia Domain. That link does not call donate.wikimedia.org at all.

Please explicitly tell us which domain controlled by Wikimedia you are talking about, and clear steps to reproduce some problem with a Wikimedia domain. Thank you!

sbassett added a project: Wikimedia-Fundraising.May 28 2025, 6:51 PM
sbassett subscribed.
In T395195#10855236, @Aklapper wrote:

Yes, I can use this link to make victim redirect to my website Via Trusted Wikimedia Domain

That link does not call any Trusted Wikimedia Domain. That link does not call donate.wikimedia.org at all.

I can't really tell from all of the obfuscated js they load in their test url, but I believe their example is creating an html post (with an evil redirect value as they show in F60509722) and submitting it to the di_donate_gravy action for https://payments.wikimedia.org/api.php. This isn't exactly an open redirect in the traditional sense which begs the question of how this would actually be exploited in the wild. If an attacker is going to socially engineer some url for a victim to click, as is necessary in this example, why not just do the bad stuff with that url? The reputational exploit of an open redirect isn't present here, since the victim would never even see or know they were passed through payments.wikimedia.org, unless they themselves were proxying or monitoring their web requests (quite dubious). What other threats might exist? The victim is never prompted for their own payment information, so forcing some unauthorized transaction seems unlikely or impossible. And again, if the attacker had a victim's payment information, why not just use it? I'll add Wikimedia-Fundraising to get their opinion on this, but I'm really not sure it's even worth the effort to build an allow-list for the various redirects payments.wikimedia.org might use.

sbassett changed Author Affiliation from N/A to Other (Please specify in description).May 28 2025, 6:52 PM
sbassett changed Risk Rating from N/A to Low.
sbassett added subscribers: Ejegg, greg.
Speedios999 added a comment.May 28 2025, 7:11 PM

I just expected to exploit this in phishing attacks as i saw Wikimedia name in that URL , i made these steps to explain how to get that link but anyway if you see that its not a vuln no problem you can close the report i just wanted to help.

Ejegg added a comment.May 28 2025, 8:58 PM

Agreed with sbasset, it looks like this is not an issue on donate nor on paymentswiki, but might be something the payment processor (gr4vy) should mitigate. I'll pass this along to them!

greg added a comment.May 28 2025, 9:15 PM

Thanks @Ejegg and @sbassett!

sbassett added a comment.EditedMay 29 2025, 1:54 AM
In T395195#10865547, @Speedios999 wrote:

I just expected to exploit this in phishing attacks as i saw Wikimedia name in that URL , i made these steps to explain how to get that link but anyway if you see that its not a vuln no problem you can close the report i just wanted to help.

That's fine. I'd agree that this isn't an amazing thing for the payment processor (gr4vy) to allow, but given our threat model and the way this would need to be exploited, I wouldn't rate it more than a very low risk. And we'd certainly always encourage folks to report anything they think might be a security issue within Wikimedia code.

sbassett triaged this task as Low priority.May 29 2025, 1:54 AM
Bawolff added a comment.EditedMay 29 2025, 3:35 AM

Maybe this is neither here nor there, but its kind of shocking to me that wikimedia uses a payment processor with a 1337-speek name.

I must admit, when i originally read this report, i thought gr4vy.app was the reporter's website, since i assumed no legitament company (or at least not one in the financial space) would use a name like that.

Speedios999 added a comment.May 29 2025, 3:55 AM

Yes, Payment gateway security is very weak no encryption no limit at least a google captcha it’s vulnerable for credit cards checking so attacker can know the live credit cards from a list of credit cards (of course I don’t mean random credit cards, I mean like dump,leaked data,bin generating, ….)

sbassett added a comment.EditedMay 29 2025, 2:38 PM
In T395195#10866455, @Bawolff wrote:

I must admit, when i originally read this report, i thought gr4vy.app was the reporter's website, since i assumed no legitament company (or at least not one in the financial space) would use a name like that.

Oh yeah, oof, that's not great. I thought it was some kind of test site. I still believe that the reputational portion of a traditional open redirect isn't really present here. But as @Ejegg noticed, we should at least report this to gr4vy as something they could certainly tighten up.

Speedios999 added a comment.May 29 2025, 2:56 PM

Do I have a chance to earn a spot in the Hall of Fame, or is it out of reach this time?

greg added a comment.May 29 2025, 5:09 PM
In T395195#10867777, @sbassett wrote:

But as @Ejegg noticed, we should at least report this to gr4vy as something they could certainly tighten up.

We're setting up a call with them shortly. We already made them aware of the issue and they are investigating their solution options.

And no comment on the name spelling ;)

sbassett added a comment.May 29 2025, 5:11 PM
In T395195#10867855, @Speedios999 wrote:

Do I have a chance to earn a spot in the Hall of Fame, or is it out of reach this time?

Possibly, though I'd prefer to wait on a response from gr4vy before completing resolving this issue. Thanks.

Speedios999 added a comment.Jun 2 2025, 1:55 PM
In T395195#10868460, @sbassett wrote:
In T395195#10867855, @Speedios999 wrote:

Do I have a chance to earn a spot in the Hall of Fame, or is it out of reach this time?

Possibly, though I'd prefer to wait on a response from gr4vy before completing resolving this issue. Thanks.

Any news?, the bug is fixed

sbassett added a comment.EditedJun 2 2025, 2:00 PM
In T395195#10875543, @Speedios999 wrote:

Any news?, the bug is fixed

Ok, sorry for my first response, I misread your comment. I'd like fr-tech (@Ejegg) to respond with any update they received from the vendor (or at least a summary or acknowledgement) and then we can resolve this task.

sbassett moved this task from Incoming to Watching on the Security-Team board.Jun 2 2025, 4:24 PM
sbassett added a project: SecTeam-Processed.
sbassett added a comment.Jun 2 2025, 5:28 PM

Ok, I've confirmed with @Ejegg that the vendor was extremely responsive and did end up hardening their code last Friday (2025-05-29). They have also promised to expand their security and pen-testing efforts to better catch issues like this in the future. I'm going to make this task public now and will work to add @Speedios999 to the Wikimedia security hall of fame.

sbassett closed this task as Resolved.Jun 2 2025, 5:29 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
CodeReviewBot added a project: Patch-For-Review.Jun 3 2025, 3:37 PM

sbassett opened https://gitlab.wikimedia.org/repos/sre/miscweb/security-landing-page/-/merge_requests/15

Add Speedios999 to Wikimedia security hall of fame

CodeReviewBot added a comment.Jun 3 2025, 8:55 PM

sbassett merged https://gitlab.wikimedia.org/repos/sre/miscweb/security-landing-page/-/merge_requests/15

Add Speedios999 to Wikimedia security hall of fame

gerritbot added a comment.Jun 3 2025, 9:00 PM

Change #1153360 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/deployment-charts@master] Add Speedios999 to security.wikimedia.org hall of fame

https://gerrit.wikimedia.org/r/1153360

gerritbot added a comment.Jun 3 2025, 9:26 PM

Change #1153360 merged by jenkins-bot:

[operations/deployment-charts@master] Add Speedios999 to security.wikimedia.org hall of fame

https://gerrit.wikimedia.org/r/1153360

Maintenance_bot removed a project: Patch-For-Review.Jun 3 2025, 9:32 PM
Speedios999 added a comment.Jun 3 2025, 9:54 PM
This comment was removed by Speedios999.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits