"Open Redirection" on Apple.com Bounty $$$$ 💵...Really?

Hey everyone! 👋

I’m excited to share my very first blog post with you as well as more to come. It’s all about some of the interesting things I’ve encountered and will(in the future), in my cybersecurity journey. I’d love for you to check it out and share your feedback—I’m always eager to learn and improve!

So I want you to visit any of your favourite browsers and type in the URL below ( or just click the link below ):

• https://apple.com@hackerone.com

You got redirected to Hackerone ... Hooray !!! you found an "Open redirection" vulnerability....

This is what a lot of us might be thinking of and might have got a confusing smile on our faces... So recently I was triaging a responsible disclosure report stating ( "Open Redirection on redacted.com") and started digging this , At first glance, it seemed like this URL is an open redirection vulnerability. But this isn't the case. Let's break down why this URL is often misunderstood and how modern browsers mitigate the risks.

The Anatomy of a URL:

To understand this better, let's break down the URL structure:

• Scheme: This is the protocol, like https, which indicates how the browser should communicate with the server.

• Credentials: This includes a username and possibly a password, separated by a colon, followed by an "@" symbol.

• Host: This is the actual domain or IP address the browser connects to.

• Path: This is the specific page or resource being requested.
  

In the URL https://apple.com@hackerone.com, the browser interprets it as:

• Scheme: https

• Username: apple.com

• Host: hackerone.com
  

Here’s where the confusion lies: the part before the "@" symbol (apple.com) is not the domain you're visiting. It's treated as the username in the URL scheme, not the host.

Why It's Not an Open Redirection:

Open redirection vulnerabilities occur when a website improperly forwards users to untrusted sites. For instance, if apple.com redirects you to hackerone.com without proper validation, that would be a genuine vulnerability. However, in our example, the URL is not performing a redirection at all.

Instead, the browser is instructed to visit hackerone.com, and apple.com is simply passed as a username,. Modern browsers, understanding this scheme, will take you directly to hackerone.com, and they often hide the username part in the address bar for security reasons.

The Role of Modern Browsers:

Modern browsers are smart enough to avoid exposing users to potential phishing schemes or malicious redirects by interpreting URLs correctly. When you paste or type the URL https://apple.com@hackerone.com into the address bar, most browsers will:

1. Highlight the Host: The browser’s address bar will typically highlight evil.com, making it clear to the user where they are actually going.

2. Omit the Username: Some browsers may omit the apple.com@ part altogether, simplifying the URL to just https://hackerone.com to avoid confusion.

3. Warn the User: In some cases, browsers may even warn users about potential risks when accessing such URLs.
   

This behavior is a security measure designed to protect users from falling prey to such phishing attacks, where attackers could exploit misunderstandings about how URLs work.

Conclusion:

Understanding URL schemes vs. open redirection is crucial in cybersecurity, especially for bug hunters. Always check the URL structure and how modern browsers handle it to avoid reporting false vulnerabilities. This helps maintain a more accurate and effective security landscape.

I am sure that you might have of tsome insight through this, do share it with folks around and Stay tuned—more insights coming soon!