MailChimp, Olark, Kaneva online websites have computer cyber security bug problems. They can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)
(1) MailChimp’s Login Page Open Redirect Vulnerability
http://login.mailchimp.com/?referrer=http://google.com [1]
http://login.mailchimp.com/?referrer=http://kb.mailchimp.com/
(2) Olark Open Redirect Vulnerability
http://images-async.olark.com/status/9353-431-10-4341/image.png?online=http://static.olark.com/images/image-orangelark-available.png%20%20%20%20%20%20%20%20%20%20&offline=http://google.com
(3) Kaneva Sign-in Page Open Redirect Vulnerability
From: http://tetraph.com/security/2014/04/kaneva-sign-page-open-redirect-vulnerability/
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
https://www.kaneva.com/loginSecure.aspx?logretURLNH=https://shop.kaneva.com/MySales.aspx
The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks. These bugs were found by using URFDS.
