Yassine ABOUKIR

Security Analyst at HackerOne Inc


Mozilla SUMO cache poisoning and open redirect

juillet 12, 2016Yassine ABOUKIR0 Comments

The present article covers a security vulnerability I previously discovered in one of Mozilla web services. The discovery goes back to April 2016, a period in which I was enrolled in a bug bounty challenge with two of my friends. The challenge was quiet competitive and each one of us had a pretty productive month. It is a recommended method for my bug hunting fellows in order to stay motivated and boost their productivity.

Over the past years, Mozilla has always been my favorite bug bounty program and you can notice my name is repetitively listed in their Hall of Fame. They handle security reports seriously and tackle them professionally as well as their attractive payouts. The web service in question is SUMO (SUpport.MOzilla.org) which is “a global gathering of many enthusiastic and dedicated people whose passion is to help all users of Mozilla’s software and products. SUMO”. As a matter of fact, the web service is not actually in the scope of the program, however Mozilla encourages researchers to report every potential bug even if it is out of scope and they sometimes, based on my experience, make exceptions by awarding reports if the vulnerability presents certain risk for their users.

Back in 2015, I was testing SUMO and found a minor bug that was leading to an invalid redirection. When you add a second forward-slash to the end part of the following URL :

https://support.mozilla.org/en-US//test

You will be redirected to :

https://en-us/test

This was an invalid URL. The bug is still reproducible and you can make sure of the behavior I am describing.

I couldn’t find a way to exploit the bug because the language part en-us preceds the arbitrary input which makes a valid open redirection impossible to conduct. It is not until April 2016 that I revisted the issue in order to figure out a way to exploit this bug. I found that we can set arbitrary language via the following endpoint :

https://support.mozilla.org/en-US/locales?lang=test

Once you browse to the above url, a GET request is sent to the server and ‘test’ is set as default language. Consequently, when you browse again to support.mozilla.org, you were likely to be redirected to :

https://support.mozilla.org/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/

Now, the second thought was to chain both bugs in order to elaborate a full exploitable vulnerability. So, instead of ‘test’ I set the language to /evilzone.org. Note that the slash is required in order to exploit the first bug.

The final proof of concept would be :

https://support.mozilla.org/en-US/locales?lang=/evilzone.org

When a legitimate user browses to the link, the language will be set to /evilzone.org so when the victim visits https://support.mozilla.org he/she will be redirected to https://support.mozilla.org//evilzone.org and due to our first bug the victim will be taken to https://evilzone.org.

The vulnerability will not only lead to a simple open redirect, but the browser cache is poisoned. Thus, each time the user visits support.mozilla.com he/she would be automatically taken to our malicious domain which causes a temporary denial of service for the victim since SUMO is impossible to reach until the cache is cleared again.

The user may be subjected to phishing attacks by being redirected to an untrusted and attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

This issue was reported to Mozilla security team on 2016-04-27; confirmed the same day to be fixed later on 2016-06-27. Mozilla implemented a check to not redirect unless lang is in SUMO_LANGUAGES. However, the first described bug is still reproducible, but without the second one there is no security risk whatsoever. You might wanna have another look at it and find a way to bypass the protection in place.

Mozilla appreciated the report and decided to award a bounty of $500 USD for it which is their minimum since the web service was out of scope.

Mozilla bug bounty

Thank you for taking the time to read my disclosure and kindly let me know about your thought in a comment below. I hope this was a useful article and interesting discovery.


Leave a Reply

Prove you are not a Bot * Le temps imparti est dépassé. Merci de saisir de nouveau le CAPTCHA.