Steps To Reproduce:
Visit https://hackerone.com/who-covid-19-mobile-app/reports/new?type=team&report_type=vulnerability
Click on Security Page.
After that, you'll be redirected to the 404 HackerOne page.
This will impersonate your security page and steal legitimate reports.
References:
https://edoverflow.com/2017/broken-link-hijacking
Similar report : https://hackerone.com/reports/1225299
POC video : recording-1624273892143.webm
@171217
Impact
New researchers can be further deceived if they click on the hijacked link.
A specific case might be for a malicious user to create a fake account on that broken redirection link and deceive researchers arriving on that link. For example, the attacker can ask the researcher to submit his report to him first and if he approves, then only he can submit it to your official page. In this way, it can cause huge damage to your company if a critical severity report is mis-directed to the attacker.
Steps To Reproduce:
Visit https://hackerone.com/who-covid-19-mobile-app/reports/new?type=team&report_type=vulnerability
Click on Security Page.
After that, you'll be redirected to the 404 HackerOne page.
This will impersonate your security page and steal legitimate reports.
References:
https://edoverflow.com/2017/broken-link-hijacking
Similar report : https://hackerone.com/reports/1225299
POC video : recording-1624273892143.webm
@171217
Impact
New researchers can be further deceived if they click on the hijacked link.
A specific case might be for a malicious user to create a fake account on that broken redirection link and deceive researchers arriving on that link. For example, the attacker can ask the researcher to submit his report to him first and if he approves, then only he can submit it to your official page. In this way, it can cause huge damage to your company if a critical severity report is mis-directed to the attacker.