Thursday, 17 April 2014

Kaneva Sign-in Page Open Redirect Vulnerability - 0Day Attacks

“Combining a social network and a virtual world, Kaneva brings profiles and entertainment to the 3D realm in a modern-day, online digital world full of real friends and good times. Kaneva provides a whole new way — a more human way — to connect with friends online.
Kaneva members create the digital version of themselves — avatars — and then meet up in a vibrant,  3D world based on the modern day. Every Kaneva member gets a Kaneva City Loft — their own 3D space — that they can decorate and furnish in their unique style. You can bring your favorite videos, photos, music, and games, and watch them on your 3D televisions. You can invite friends to hang out in your 3D home or meet up in any of Kaneva’s public spaces and chat in real-time. You can shop for the latest fashions or home decor, chat, dance, play games, watch TV and movies, and come back again and again to explore and have fun in an ever evolving world full of exciting people, places and entertainment.”

The vulnerability exists at "loginSecure.aspx" page with "logretURLNH" parameter, i.e. [1]

When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.

Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

(1) Use the following tests to illustrate the scenario painted above.

The redirected webpage address is "".Can suppose that this webpage is malicious.

Vulnerable URL:


Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

No comments:

Post a Comment