Yelp: Content spoofing on yelp.onelogin

2016-11-07T01:09:36
ID H1:180559
Type hackerone
Reporter japz
Modified 2017-11-09T20:41:14

Description

Hi Yelp Team,

I'm not sure if this one is out of scope but i want you guys to be aware of it, I have found that content spoofing is possible on yelp onelogin.

Reference: https://www.owasp.org/index.php/Content_Spoofing

PoC URL:

https://yelp.onelogin.com/images%20storage%20has%20been%20transfered%20to%20new%20storage%20location,%20please%20go%20to%20www.malicious-site.com/images

Cheers Japz