Host Header Injection / Redirect on Spotify — Bounty $200
In the realm of cybersecurity, uncovering vulnerabilities is a vital step in fortifying digital landscapes. My journey led me to the discovery of a significant security vulnerability on the Spotify website, an experience I’d like to share with you. In this blog post, I’ll recount my journey from identifying the issue to responsibly disclosing it, all while shedding light on the importance of web security.
The Quest Begins:
My exploration began with a curiosity to uncover security weaknesses within well-known websites. Spotify, one of the world’s most popular music streaming platforms, was my chosen target for investigation. After some initial probing, I stumbled upon a security loophole — a vulnerability that could potentially compromise the website’s integrity.
The Vulnerability: Host Header Injection
The vulnerability I discovered pertained to “Host Header Injection.” In essence, it allowed me to manipulate the host header in HTTP requests, potentially causing the website to redirect to an unintended domain. For instance, instead of visiting spotify.com, an attacker could force a redirect to a different, malicious domain.
Understanding the Impact:
The impact of this vulnerability hinges on how the host header is used within the website’s backend application code. If the code references the hostname used in URLs, it opens up avenues for exploitation. Attackers could tamper with hyperlinks, manipulate password reset pages, and potentially redirect sensitive information to malicious domains.
Steps to Reproduce:
Here’s a simplified guide on how I uncovered the vulnerability:
1. Set up a testing environment with tools like Burp Suite and a web browser.
2. Visit the target website: https://www.spotify.com.
3. Intercept the HTTP request using Burp Suite.
4. Inject a malicious payload into the host header.
5. Forward the request.
As a result, the website would directly redirect to the specified malicious domain.
Responsible Disclosure:
Recognizing the gravity of the situation, I promptly reported the vulnerability to Spotify through HackerOne, a platform that facilitates communication between security researchers and organizations. It’s essential to follow responsible disclosure practices to ensure that vulnerabilities are addressed without causing harm.
Bounty Reward and Closure:
My efforts did not go unnoticed. Spotify’s security team acknowledged the vulnerability and awarded me a $200 bounty reward for my responsible disclosure. This serves as a testament to the importance of security researchers in identifying and mitigating potential threats.
Visualizing the Journey:
GET /.. HTTP/2
Host: www.evil.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
HTTP/2 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Location: https://www.evil.com/
Content-Length: 218
Date: Mon, 14 Mar 2022 00:46:08 GMT
Alt-Svc: clear
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.evil.com/">here</A>.
</BODY></HTML>Conclusion:
My journey of discovering a host header injection vulnerability on Spotify underscores the critical role that security researchers play in enhancing web security. Responsible disclosure is a collaborative effort between researchers and organizations to create a safer digital environment.
I extend my gratitude to Spotify for their responsiveness and commitment to addressing security concerns promptly. Together, we’ve made the internet a little safer for everyone.
In a world where digital threats persist, our collective efforts in identifying and addressing vulnerabilities are crucial. If you stumble upon a security issue, consider responsible disclosure — it’s a step toward a more secure online world for all.
