An open redirect vulnerability has been found on MasterCard’s Australia web site (mastercard.com.au), according to an advisory by researcher Anastasios Monachos from Packet Storm.
An open redirect vulnerability consists of the malfunction of a web app that, according to the Common Weakness Enumeration dictionary, “accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.”
“Certain unspecified input is not properly verified before being used,” Monachos says in the advisory. “This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.”
The vulnerability, which is often used in phishing attempts, could be exploited remotely and was rated by Monachos as “very low.”
The open redirect-vulnerable URL from MasterCard’s web site is “https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://<any_domain>”.
Since the advisory was created a month ago, MasterCard hasn’t responded to Monachosâ€™ contact attempts.
Itâ€™s unclear if MasterCard has fixed the vulnerability. The web site, which is widely trusted, could be targeted for phishing attempts if the vulnerability remains.