#8. Bug Bounty Series: Broken Link Hijacking Vulnerability | Hall of Fame
Helloš and welcome, fellow cyber explorers!. Iām excited to share an interesting vulnerability I discovered during a bug bounty program. This time, it was a case of Broken Link Hijacking ā a straightforward but highly impactful issue.
Description:
Broken link hijacking (BLH) is a type of web attack. It exploits external links that are no longer valid. If your website or web application uses resources loaded from external URLs or points to such resources and these resources are no longer there ( for example due to an expired domain ), attackers can exploit these links to perform defacement, impersonation, or even to launch cross-site scripting attacks.
Impacts of BLH:
- Data Theft and Privacy Violation: Broken Link Hijacking can lead to data theft, identity exposure, and privacy violations.
- Social Engineering and Scams: this technique is exploited for social engineering attacks and scams.
A broken link might seem minor, but it can cause serious harm to your website, reputation, and business. Even one broken link can hurt your user experience, lower search engine rankings, reduce revenue, and drive customers away. In some cases, it can even lead to phishing attacks.
BLH is not only possible in Social media account. If website using any third party domain and it expires. we can takeover that too.
Now letās get to the main pointā¦.
While examining the target, I noticed various social media icons like Facebook, Twitter and Instagram at the bottom of the page.
When I clicked on the Instagram icon, it led to a username that didnāt have an associated account ā it showed no Instagram account existed for that username.
I immediately created an Instagram account using that username. Once the account was set up, the link on the targetās page redirected to the newly created Instagram account.
An attacker could exploit this broken link to harm the companyās reputation. I reported the issue to the company, and they responded by acknowledging the bug. They also informed me that it was eligible for the Hall of Fame.
So, thatās it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.
If you found it useful, please click the button šand share it with others who have similar interests! + Feedback is always appreciated!!š
