Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Security report: Open redirect at https://www.teamwork.com/welcome

Report ID: teamwork-2019-01-18a

Researcher name: Julien Cretel

Researcher email: jcretel-infosec@protonmail.com

Report date: 18/01/2019

Status: fixed (18/01/2019)

Vulnerability

I've found an open-redirect vulnerability on https://www.teamwork.com. The endpoint of interest is https://www.teamwork.com/welcome, where the value of query parameter code doesn't seem to be validated in any way.

Risks & threats

This vulnerability can be exploited by attackers to mount phishing attacks against (possibly high-value) Teamwork users in order to

  • steal their Teamwork credentials;
  • install malware on their machines.

Example attack scenario: stealing Teamwork credentials

  1. The attacker designs a malicious website to look like the Teamwork Projects login page, and serves it at https://attacker-controlled-site.com. Note: the attacker may use a domain name more similar to teamwork.com (e.g. tearnwork.com).
  2. The attacker performs some reconnaissance on Teamwork users and acquires some high-impact targets. Some "misfeatures" of the Teamwork Web app make this relatively easy (more details about this available on demand).
  3. The attacker shares the following crafted URL https://www.teamwork.com/welcome?code=https://attacker-controlled-site.com with the victim, either by email or from within one of the Teamwork products. Note: the attacker may hex-encode the query parameter in order to obfuscate it.
  4. The victim follows the link.
  5. The victim clicks the Go to Projects button, and immediately gets redirected to https://attacker-controlled-site.com, which looks like the Teamwork login form.
  6. The victim fills the login form and submits it, thereby handing over her Teamwork credentials to the attacker.

This (unlisted) video illustrates such an attack.

Mitigation

OWASP's cheat sheet dedicated to this type of vulnerability provides some guidance.

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment