We started with Linkedin mobile website: https://touch.www.linkedin.com/
Issuing the request in burp suite we found that it was not working with two slashes (as Pierre describes in his vulnerability), so we tested with 4 slashes and this is what we got:
Open redirect, yey!
Proof of Concept
Report timeline
- April 28, 2015 - Bug reported to Linkedin
- April 28, 2015 - Confirmation from Linkedin’s security team
- May 28, 2015 - Pinged Linkedin team
- May 28, 2015 - Bug fixed
- September 24, 2015 - Public disclosure
Now the story with Yahoo is more fun. We found two websites from Yahoo using express.js:
developer.yahoo.com
publish.yahoo.com
Proof of Concept
Report timeline
- May 28, 2015 - Bug reported to Yahoo
- May 28, 2015 - Yahoo’s security team tells to report in HackerOne
- May 28, 2015 - Bug reported to HackerOne
- May 28, 2015 - Response from HackerOne: “Thank you for your submission to Yahoo! We are aware of this functionality on our site and it is working as designed. Open redirects have been out of scope since January 1st, 2014. Please continue to send us vulnerability reports!”
- September 24, 2015 - Public disclosure
Both websites are still vulnerable