Snapchat fails to patch year-old bug, leaving millions exposed to data theft


Automated URL redirects used by American Express and Snapchat to steer customers to their websites have been hijacked by threat actors looking to harvest credentials, according to research by INKY.

American Express has reportedly patched the vulnerability, but Snapchat has yet to do so – one year on after being warned of it by a bug bounty program.

“Back in the mists of time, before the turn of the century, wise internet architects devised a means to redirect a web surfer from one URL to another,” said INKY. “This redirection service was enshrined in both browsers and websites so that someone clicking on a link could pass through a first destination on their way to a second.”

ADVERTISEMENT

Though obviously a very useful marketing tool – for instance, steering an errant typist from Amazn.com to Amazon.com – this redirection function has become a weapon in the hands of cybercriminals, who use it to steer the unwitting towards credential-harvesting sites.

Leveraging the legitimate

Between May and July, INKY observed just such a case, with threat actors hijacking unpatched redirect vulnerabilities on American Express and Snapchat domains. What makes this attack so effective is that it leverages legitimate websites and URLs operated by trusted brands.

“Open redirect, a security vulnerability that occurs when a website fails to validate user input, allows bad actors to manipulate the URLs of high-reputation domains to redirect victims to malicious sites,” it said.

“Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer. The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.”

For example, where “safe.com” is taken to represent an authentic domain and “malicious.com” – a credential-harvesting website, cybercriminals will insert http://safe.com/redirect?url=http://malicious.com to redirect victims to fake versions of Microsoft, FedEx, and DocuSign login sites that then siphon off their email and password details.

Convincing fake of a Microsoft login page, as captured by INKY.
Screenshot by INKY of convincing fake of Microsoft login page designed to harvest credentials.

Big brands, but cyber-slackers

ADVERTISEMENT

“Perhaps websites don’t give open redirect vulnerabilities the attention they deserve because they don’t allow attackers to harm or steal data from the site,” said INKY. “From the website operator’s perspective, the only damage that potentially occurs is harm to the site’s reputation. The victims, however, may lose credentials, data, and possibly money.”

This lackadaisical attitude seems to be reflected in Snapchat’s current posture, though American Express, to its credit, patched the issue after being notified by INKY.

According to the cyber analyst, Snapchat was first informed of the issue by Open Bug Bounty on August 4, 2021 – but at the time of writing it still has not fixed the issue, leaving its millions of users in continual jeopardy of having their credentials stolen and resold on the dark web.

According to Statista, as of the first quarter of 2022, Snapchat had 332 million users worldwide. INKY reached out to the social media platform to remind it about the unpatched vulnerability, but at the time of writing, no response was forthcoming.

Do’s and don’ts

“When examining links, surfers should keep an eye out for URLs that include, for example, url=, redirect=, external-link, or proxy,” said INKY. “These strings might indicate that a trusted domain could redirect to another site.”

It added: “Recipients of email with links should also examine them for multiple occurrences of ‘http’ in the URL, another potential indication of redirection.”

INKY also urges domain providers to implement allow-lists of approved safe links to weed out bad actors and install redirect “disclaimers” that require users to click on them before being redirected, as opposed to the automated version that has been hitherto favored.