Hi There,

Renganathan here.

This write-up is about the vulnerability that I found on Medium which will allow me to hack your medium account by phishing your FB, Twitter & Google credentials.

YES :P

A few months ago I saw Pratik Dabhi was listed in the medium hall of fame. So I was motivated to hunt bugs on Medium. I enumerated the subdomains and stopped there because my methodologies in earlier days were very outdated and I was not good at recon.

So I thought of giving it a try again.

I started with collecting the interesting parameters with Waybackurls, ParamSpider & Gau. simultaneously I was manually exploring the site and also spider the medium with the Burp Suite.

Then after some time, I was searching for the Open Redirection parameters like the below ones.

?next=?url=?target=?rurl=?dest=?destination=?redir=redirect_uri=?redirect_url=?redirect=/redirect/cgi-bin/redirect.cgi?{}/out//out??view=/login?to=?image_url=?go=?return=?returnTo=?return_to=?checkout_url=

And then I noticed an awesome parameter which was:

redirect=

I was like

But it was not just an open redirection. I changed the return path to attacker.com

When I clicked on Sign in with Twitter, I was redirected to attacker.com

This can lead to phishing like the below POC:

https://youtu.be/sCrcv5Hn6mc

Edit: SSRF isn’t possible, and the logs contain my IP 0_0

TimeLine:

July 15, 2021 - Reported

July 18, 2021 - Patched by Internal Security Team

July 28, 2021 - Was asked how to get credited in humans.txt (Hall of fame)

July 29, 2021 - Got listed in Medium Hall of fame.

Thanks for reading :)
Stay Safe.

https://www.instagram.com/renganathanofficial/