During one of our usual internet outages as a Vodafone customer, I took the short break as an opportunity to take a closer look at the EasyBox URL.
During the outage, my browser directed me to the following EasyBox 804 website:
I immediately recognized the URL in the URL, namely the one I was on before the internet outage - as suspected, this was an open redirect. This means that I can enter any URLs we want and the EasyBox forwards them promptly, even fully automatically if the internet is working!
An attacker sends the above-mentioned URL to a victim, and if the victim clicks on the link, he ends up on an infected website. Let's take Facebook as an example, if the user still has a valid session cookie from Facebook and I redirect to an infected website with included XSS, I can, for example, take over the victim's session. A more realistic scenario, however, is that the EasyBox website is recreated and hosted on an external domain by the attacker, so that the victim is, for example, asked to log in to the visually identical EasyBox website and may have to set their WiFi password again.
By the way - it is very unpleasant that a user can simply access the URL without authentication and re-establish the connection, thereby interrupting the Internet connection. But we learned this from Vodafone… it’s a feature.
The CVSSv3 is 6.4 – AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N.
PS: Do you have an EasyBox? Just click on the link and see for yourself!
