Report ID: teamwork-2019-01-18a
Researcher name: Julien Cretel
Researcher email: jcretel-infosec@protonmail.com
Report date: 18/01/2019
Status: fixed (18/01/2019)
I've found an open-redirect vulnerability on https://www.teamwork.com.
The endpoint of interest is https://www.teamwork.com/welcome,
where the value of query parameter code doesn't seem to be validated in any way.
This vulnerability can be exploited by attackers to mount phishing attacks against (possibly high-value) Teamwork users in order to
- steal their Teamwork credentials;
- install malware on their machines.
- The attacker designs a malicious website to look like the Teamwork Projects login page,
and serves it at
https://attacker-controlled-site.com. Note: the attacker may use a domain name more similar toteamwork.com(e.g.tearnwork.com). - The attacker performs some reconnaissance on Teamwork users and acquires some high-impact targets. Some "misfeatures" of the Teamwork Web app make this relatively easy (more details about this available on demand).
- The attacker shares the following crafted URL
https://www.teamwork.com/welcome?code=https://attacker-controlled-site.comwith the victim, either by email or from within one of the Teamwork products. Note: the attacker may hex-encode the query parameter in order to obfuscate it. - The victim follows the link.
- The victim clicks the Go to Projects button, and immediately gets redirected to
https://attacker-controlled-site.com, which looks like the Teamwork login form. - The victim fills the login form and submits it, thereby handing over her Teamwork credentials to the attacker.
This (unlisted) video illustrates such an attack.
OWASP's cheat sheet dedicated to this type of vulnerability provides some guidance.