Have you ever seen social media icons such as Instagram, Facebook, YouTube, etc. connected to this website?
Have you ever touched the link?
And have you ever gotten an error when visiting that link? The error is a vulnerability called broken link hijacking.
In this write-up, I will discuss what broken link hijacking is and how to exploit it.
Before continuing, I want to explain in simple terms what broken link hijacking is.
Broken link hijacking is a vulnerability that occurs where a link that is for example used for promotion is damaged and expired. This vulnerability is usually related to phishing or social engineering to trick the victim.
OK, moving on to the main topic, let’s say we have a target, namely redacted.com
And on the redacted.com site there are social media links such as Instagram, Facebook, YouTube, and so on. When we touch the Instagram link, we are directed to the Instagram account page with an error. Image as below.
The link will look like this https://www.instagram.com/abc, where ABC is the username of the Instagram account that had the error.
And how to exploit it?
Steps to Reproduce:
1. Go to your Instagram account.
2. Change your username, which was originally qwerty, to ABC (where ABC is the username of the Instagram account that had the error)
and also make sure the username (ABC) is available.
3. Go to the home page of redacted.com and click the Instagram icon again or on the Instagram page that had the error, reload the page.
5. We have successfully claimed the username of the redacted.com Instagram account and if the user visits the redacted.com Instagram account, he will be redirected to the attacker’s (namely our) Instagram account page.
Note: make sure the Instagram account username is available, otherwise it will be difficult to exploit :(.
- Damaging the website owner’s reputation.
- Loss of user and audience trust.
Update your social media links regularly.
QIWI disclosed on HackerOne: account impersonate through broken link
hi team, hope you are good, A link in qiwi.com was broken and anyone could create that account which leads to account…
Urban Company disclosed on HackerOne: Broken Link on Urban...
Summary: - Urban Company has an unclaimed broken link on their HackerOne security page which can be claimed by any…
Panther Labs disclosed on HackerOne: Twitter Account hijack through...
Summary: A link(https://twitter.com/runpanther_) in https://runpanther.io was broken and anyone could create that…
Submit: November 2, 2023
Accepted: November 3, 2023
Resolved: November 27, 2023
Reward: Dec 6, 2023