Broken Link Hijacking
Have you ever seen social media icons such as Instagram, Facebook, YouTube, etc. connected to this website?
Have you ever touched the link?
And have you ever gotten an error when visiting that link? The error is a vulnerability called broken link hijacking.
In this write-up, I will discuss what broken link hijacking is and how to exploit it.
Before continuing, I want to explain in simple terms what broken link hijacking is.
Broken link hijacking is a vulnerability that occurs where a link that is for example used for promotion is damaged and expired. This vulnerability is usually related to phishing or social engineering to trick the victim.
OK, moving on to the main topic, let’s say we have a target, namely redacted.com
And on the redacted.com site there are social media links such as Instagram, Facebook, YouTube, and so on. When we touch the Instagram link, we are directed to the Instagram account page with an error. Image as below.
The link will look like this https://www.instagram.com/abc, where abc is the username of the Instagram account that had the error.
And how to exploit it?
Steps to Reproduce
1. Go to your Instagram account.
2. Change your username, which was originally qwerty, to abc (where abc is the username of the Instagram account that had the error)
and also make sure the username (abc) is available.
3. Go to the home page of redacted.com and click the Instagram icon again or on the Instagram page that had the error, reload the page.
4. Boom,
5. We have successfully claimed the username of the redacted.com Instagram account and if the user visits the redacted.com Instagram account, he will be redirected to the attacker’s (namely our) Instagram account page.
Note: make sure the Instagram account username is available, otherwise it will be difficult to exploit :(.
Impact
1. Damaging the website owner’s reputation.
2. Loss of user and audience trust.
Remediation
Update your social media links regularly.
References
Timeline
November 2, 2023 : Report sent
November 3, 2023 : Accepted
November 27, 2023 : Bug resolved
December 6, 2023 : Certificate awarded
