Open redirection issue on "?callbackUrl=" parameter \ stacker news ~bitcoin

pull down to refresh

Open redirection issue on "?callbackUrl=" parameter

15k sats \ 16 comments \ @test13 6 May 2023 bitcoin freebie

I think you my be interested in this open redirection issue, after signup i came across an open redirection issue .

Vuln Link -> https://stacker.news/signup?callbackUrl=https%3A%2F%2Fwww.google.com%2F

Fix this issue here.

100,000 sats bounty

test13's bounties

view all past bounties

10.1k sats \ 0 replies \ @orthzar 7 May 2023

I've submitted an issue to the SN repo, which contains analysis and a recommendation.

100 sats \ 12 replies \ @test13 OP 7 May 2023

Thank you so much ! i hope you can fix this ASAP! i would love to test the Graphql part too ! i'll keep you updated when ever i get new things to share .

10 sats \ 10 replies \ @ek 7 May 2023

Thanks for testing! In the future, please do responsible disclosures, for example by DMing @k00b or me in TG. You can find us in this group: https://t.me/stackernews

I tipped your post with 15k sats but that also wasn't a good idea. It now shows up in daily top posts, lol

1186 sats \ 3 replies \ @orthzar 7 May 2023

In the future, please do responsible disclosures, for example by DMing @k00b or me in TG. You can find us in this group: https://t.me/stackernews

While I was writing my Github issue for this bug, I looked for SN's disclosure policy and couldn't find it. Also, I don't have a phone, so Telegram wouldn't have been an option.

30 sats \ 2 replies \ @ek 7 May 2023

Ah, yes, you are right, sorry.

I forgot that there are no instructions regarding this in the README. I will add some.

Thanks again!

100 sats \ 1 reply \ @orthzar 7 May 2023

In all honesty, the only place I checked was the FAQ. I didn't even think of checking the README in the Github repo -- but next time I will.

20 sats \ 0 replies \ @ek 7 May 2023

Also good point. Very useful feedback

0 sats \ 1 reply \ @test13 OP 7 May 2023

it's fine ! i really didn't have any idea about this sats btw , i now know about the satoshi thing lol

0 sats \ 0 replies \ @ek 7 May 2023

i really didn't have any idea about this sats btw , i now know about the satoshi thing lol

What do you mean? I see you are a new user. Did you mean you didn't know your post can get tipped?

0 sats \ 3 replies \ @test13 OP 7 May 2023

deleted by author

0 sats \ 2 replies \ @ek 7 May 2023

You can edit your comments btw.
There is a 10 minute timer so you don't have to delete them if you just want to edit them

21 sats \ 1 reply \ @test13 OP 7 May 2023

it was just a problem of connexion , i clicked twice on the comment button so the comment got duplicated :)

0 sats \ 0 replies \ @ek 7 May 2023

Ah, I see, haha

We should maybe also add some deduplication in the backend.
So you don't get billed twice just because of bad internet, hehe

0 sats \ 0 replies \ @ek 7 May 2023

PR open if you want to take a look: https://github.com/stackernews/stacker.news/pull/265

0 sats \ 0 replies \ @test13 OP 8 May 2023

Thank you so much guys ! your work and response are appreciated!

0 sats \ 0 replies \ @ek 7 May 2023

Thanks for posting, I agree this is something that was overlooked!

I think you should actually get paid for finding this open redirect.
More infos in the ticket posted by @orthzar