1. Summary
I was able to find open redirect in Alibaba. Open redirect is a bug where attacker can specially craft login url and send users/victims to evilsite after login. The domain is actual website domain and the url doesn't look suspicious so attacker can easily Trick victim with this method.
2. Report I submitted
Here's the actual report that I submitted to Alibaba.
Summary:
Alibaba login is from passport.alibaba.com which is different url then the main one. So they use return_url field to get user's previous page and redirect them to that page. But this is highly filtered and doesn't allow any third-party url for obvious reason. In this exploit I have bypassed that and was able to redirect user.
Steps To Reproduce:
This can be used by using
- Visit https://passport.alibaba.com/icbu_login.htm?return_url=%2f3627734734
- Login with your details or click access now if you're already logged in
you will be redirected to google (Note: Here I have used google as sample, Google will redirect to different IP of your location and SSL warning might show. But it will not happen if I use other IP without SSL)
Tested on
Chrome 79.0.3945.130
Impact
Open redirect, redirect user to phishing site, reflected download of malicious file in user's computer
