Security News > 2022 > August > Open Redirect Flaw Snags Amex, Snapchat User Data

Attackers are exploiting a well-known open redirect flaw to phish people's credentials and personally identifiable information using American Express and Snapchat domains, researchers have found.

Open redirect is a security vulnerability that occurs when a website fails to validate user input, which allows bad actors to manipulate the URLs of domains from legitimate entities with good reputations to redirect victims to malicious sites, researchers said.

Com open redirect vulnerability in 2,029 phishing emails that originated from newly created domains.

The phishing emails in the Snapchat open redirect group impersonated DocuSign, FedEx and Microsoft, and all had snapchat open redirects that led to Microsoft credential harvesting sites, researchers said.

The open redirect vulnerability on the Snapchat domain was unpatched at the time of the campaign and remains so, though Open Bug Bounty reported it to the company on Aug. 4, 2021, Kay noted.

If domain owners care to mitigate attacks using open redirect further, they can take a few simple steps, Kay noted.

News URL

https://threatpost.com/open-redirect-flaw-snags-amex-snapchat-user-data/180354/