Open Redirect on Yandex, a bug or not?

the same first bugHe is also the most famous.

Hello, dear Khabrovites. I want to share with you a small case study on the Yandex bug bounty program. As it usually happens, I found a vulnerability in the company’s services, wrote a letter, waited for an answer in which they thanked me and stated that this bug was not a bug at all.

Since this is the case, I decided to share with readers. Under the cut, I will describe the essence of the vulnerability and how I came to it, as well as a small survey at the end, designed to answer the title’s question: is this a bug or not.

Important note: I asked permission from the Yandex information security service to describe this potential vulnerability, the text of the letter is located at the end of the article.

Open Redirect is a type of vulnerability in which a request is redirected to another site. The main danger here is that inattentive users can leave their own, for example, login and password from some monetary resource or any other valuable data that an attacker can use for their own benefit.

It’s no secret that Yandex has a program bug bounty, for which you can also get some money if you find something worthwhile. Also within the framework of this program there is a so-called. “Hall of Fame” is a page on which the accounts of those users who are lucky enough to find a vulnerability or bug in Yandex services are published.

It would seem that all possible vulnerabilities have already been found, probably only the most complex ones remain, which require a large amount of time, competencies and knowledge. However, despite all these obvious, as we know from feature films, obstacles, a dozen or one and a half new faces appear in the hall of fame every month. Something here does not converge, I thought, and decided to try it myself.

Spoiler: all these prejudices have nothing to do with reality.

As it turned out, you don’t need to be a coolhacker to find a vulnerability, it’s enough to be able to use an Internet browser and understand a little bit how the query string is formed – that’s all.

So, I will begin the description of how I eventually found this vulnerability.

Initially, not knowing what I could get attached to, I just climbed Yandex resources. Added different characters to queries, for example: https://yandex.ru/pogoda/moscow?lat=55.755863&lon=+37.6177. As you can see, to the parameter lon I added a “+” and now this link leads to the “Bad Request” page, although all other characters are ignored, but the “+” sign has such an unusual effect. It is clear that this is not particularly clear, there is nothing to brag about. Well, it doesn’t work and doesn’t work, it doesn’t bother anyone.

So I went through various links until I noticed one remarkable one on the registration page: https://passport.yandex.ru/auth?retpath=https%3A%2F%2Fya.ru. Noticing that there is a parameter in this link retpathI was notably delighted and had already begun to rub my sweaty hands, but no such luck.

What kind of requests I did not substitute in this retpath, nothing passed, except for links to Yandex services. It would be possible to substitute any article in zen and say that, they say, this is how you can wind up views. But to be honest, it didn’t look like a serious problem. A transition to some external resource was needed.

I knew one feature Yandex translator – through it you can translate sites and it is essentially a proxy server.

Picture with original ip address from whoer.net.

A picture with an ip address through a translator.

As you can see, they have different IP addresses.

However, the translated sites moved to the translated.turbopages.org domain, which retpath rejected as external. There was nothing I could do about it. Happiness was so close, it seemed enough to lend a hand, but no matter how hard I tried, nothing worked.

Desperate, I decided to spit on this hopeless case and just clicked and clicked on various links in the translator. And then I was just lucky, because. Yandex decided to check if I’m a robot. You see, nowadays ChatGpt a lot of them got divorced.

So, instead of another translated site, I came across a captcha and, since I knew what to look at, I immediately saw that the captcha was on the Yandex domain: https://translate.yandex.ru/showcaptcha?cc=…. Of course, I immediately decided to try adding it to repath and… it worked! In essence, it turned out to move from the Yandex domain to the external network.

The same link https://passport.yandex.ru/…,

Note: after some time, the captcha disappears and you can immediately go to an external site.

Video that I sent to Yandex:

Thank you for your attention!