Starbucks: Open Redirection in Login - Korean Starbucks

2018-07-12T12:07:22
ID H1:380939
Type hackerone
Reporter jtjisgod
Modified 2019-03-20T16:49:58

Description

Summary: Open Redirection is performed in Korean Starbucks login page. An attacker can redirect victim to other site such as fishing.

Description: When victim visit https://www.istarbucks.co.kr/login/login.do?redirect_url=//www.bughunting.net this site, and login, he/she is redirected to www.bughunting.net page.

PoC https://www.istarbucks.co.kr/login/login.do?redirect_url=//www.bughunting.net

Etc I attached a PoC video.

Impact

Fishing