[BugBounty] malicious redirect on mailroom.prezi.com

Dear readers,

today i want to share a short story of a bug i found on one of prezi’s subdomains called mailroom.prezi.com.The Webserver at http://mailroom.prezi.com is configured to redirect the Users to the Login Page of Prezi, so far so good, i found out that if you add a Domain lets say http://mailroom.prezi.com/.anydomain.com to the end of the URL it redirects to https://mailroom.prezi.com.anydomain.test,
to validate this one i created a new Subdomain called mailroom.prezi.com.it-securityguard.com, so if an attacker sets up a valid https cloned site of the actual login page  a request on http://mailroom.prezi.com/.it-securityguard.com will redirect the user to https://mailroom.prezi.com.it-securityguard.com (the attacker owned domain).

2000px-Prezi_logo_transparent_2012.svg

This issue was worth 500$ of cash reward. The Prezi Team as always fixed this issue in less than 24 hours, heads up for this nice and skilled security team.

hope you enjoyed.

en_USEnglish