During one of our usual internet failures as a Vodafone customer, I took the short break as an opportunity to take a closer look at the EasyBox URL.
During the failure, my browser directed me to the following EasyBox 804 website:
I immediately recognized the URL in the URL, namely the one I was on before the internet failure – as I suspected it was an open redirect. That means, I can enter any URL we want here and the EasyBox forwards promptly, even fully automatically, if the Internet works!
The Scenario
An attacker sends the above URL to a victim, if the victim clicks on the link, he ends up on an infected website. Let’s take Facebook as an example, if the user still has a valid session cookie from Facebook and if I redirect to an infected website with the XSS included, I can take over the victim’s session, for example. A more realistic scenario, however, is that the EasyBox website is recreated and hosted by the attacker on an external domain, so that the victim is asked, for example, to log in to the optically identical EasyBox website and, if necessary, have to set their W-LAN password again.
By the way – it is very unpleasant that a user can simply call up the URL without authentication and re-establish the connection so that he can interrupt the Internet connection. But we learned that from Vodafone … it’s a feature.
The CVSSv3 is 6.4 – AV: A / AC: L / PR: N / UI: R / S: C / C: N / I: H / A: N .
PS: Do you have an EasyBox? Just click on the link and see for yourself!
