Vulnerability report to MSRC Team . Contacted to Softpedia ( All The vulnerabilities have been fixed) . Proof Video : ====== http://www.youtube.com/watch?v=wyw-Z11O3WY Title : ======= MSN Mobile Websites - Multiple Open Redirect Vulnerabilities. Researcher : ======= Souhail Hammou (Dark-Puzzle). Website : http://www.dark-puzzle.com/ Information: =========== Vulnerable online service : http://mobile.msn.com/en-us/ http://m.ninemsn.com.au/ http://mobile.fr.msn.com/ http://mobile.uk.msn.com/device/ http://movil.es.msn.com/device/ http://mobile.de.msn.com/device/ http://mobile.br.msn.com/device/ http://mobile.nl.msn.com/device/ http://mobile.be.msn.com/device/ http://home.mobile.en.ca.msn.com/device/ http://mobile.en.xin.msn.com/device/ http://rogers-home.mobile.en.ca.msn.com/device/ http://mobile.mx.msn.com/device/ And More ... Issue Type : Open Redirect Vulnerability A.K.A Unvalidated Redirects. Online Service : MSN Mobile websites. Accessible : From Mobile Phones & Computer machines . About the issue : =============== An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it, this does simplify phishing attacks . Details : ========= The Vulnerable link (Just for MSN Australia): http://m.ninemsn.com.au/clt.aspx?u=http://malicious-URL/ The Vulnerable link for the other websites : http://mobile.msn.com/en-us/sp.aspx?rs=true&nu=http://malicious-URL/ http://mobile.fr.msn.com/sp.aspx?rs=true&nu=http://malicious-URL/ http://mobile.uk.msn.com/device/sp.aspx?rs=true&nu=http://malicious-URL/ http://movil.es.msn.com/device/sp.aspx?rs=true&nu=http://malicious-URL/ http://mobile.de.msn.com/device/sp.aspx?rs=true&nu=http://malicious-URL/ http://mobile.br.msn.com/device/sp.aspx?rs=true&nu=http://malicious-URL/ http://mobile.nl.msn.com/device/sp.aspx?rs=true&nu=http://malicious-URL/ http://mobile.be.msn.com/device/sp.aspx?rs=true&nu=http://malicious-URL/ http://home.mobile.en.ca.msn.com/device/sp.aspx?rs=true&nu=http://malicious-URL/ Normally , Australia Mobile MSN website is using this link in redirecting the user to Hotmail and more websites. However the parameter may be used by an attacker. - For MSN Mobile Australia : The redirect parameter used is 'u' specifying the URL to redirect to , allowing the attacker to craft a URL and choose the destination page .The vulnerable page is "clt.aspx". - For Other MSN Mobile Websites : The redirect parameter used is 'nu' specifying the URL to redirect to , allowing the attacker to craft a URL and choose the destination page .The vulnerable page is "sp.aspx". =========================== The attacker can exploit this unvalidated redirect by tricking victims into clicking the link . Victims are more likely to click on it , since the link is to a valid and trusted website as they think , So the attacker will fool unsuspecting users into believing that they're navigating to the well known site (hotmail,skydrive,msn,a bank ...etc) as opposed to the attacker controlled site. Step-By-Step Instructions to reproduce & vulnerable link : ========================================================== The reproduction of the bug can be simply by crafting an external malicious URL into the vulnerable parameter. http://m.ninemsn.com/clt.aspx?u=http://hotmail.fake.com/login.aspx http://m.ninemsn.com/clt.aspx?u=http://login.live.attacker.com/login.srf For the other websites : (dark-puzzle.com can be replaced with a malicious site). http://mobile.msn.com/en-us/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://mobile.fr.msn.com/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://mobile.uk.msn.com/device/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://movil.es.msn.com/device/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://mobile.de.msn.com/device/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://mobile.br.msn.com/device/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://mobile.nl.msn.com/device/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://mobile.be.msn.com/device/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf http://home.mobile.en.ca.msn.com/device/sp.aspx?rs=true&nu=http://login.live.attacker.com/login.srf Real-Example : ============= http://m.ninemsn.com/clt.aspx?u=http://www.dark-puzzle.com/ http://mobile.msn.com/en-us/sp.aspx?rs=true&nu=http://www.hotmail.com/ http://mobile.fr.msn.com/sp.aspx?rs=true&nu=http://www.microsoft.com/ Solution : ========= Safe use of redirects can be used in several ways : - Simply avoid using redirects and forwards. - Ensuring that the supplied value is valid and authorized for the user in the destination parameter will secure the vulnerability if the parameter can't be avoided . Avoiding such flaws is extremely important as they are a favorite target of phishers trying to gain the user’s trust. Yours Sincerly, Souhail Hammou .