I found a (quite serious) vulnerability on the new MC beta page. It's possible to insert a JavaScript URI in the return_url parameter. Here's a little demo:
https://beta.minecraft.net/en/login/?return_url=javascript:alert%28document.cookie%29
The good news is that this particular vuln only works when you're logging in on that page, but at that point it can be used to do pretty much anything. I assume you know what XSS is.
The minified JS code is a bit hard to read, so I haven't checked other endpoints, but there might be similar cases where a login is not required. You should double check that window.location.href is only used with safe URIs.
You should also be able to check your nginx (1.6.2, duh) logs to see if this has already been abused.
Comments 5
Your fix looks good:
if (e.protocol() === "http" || e.protocol() === "https" || e.toString().indexOf("/") === 0) {
// ...Should be safe now!
Thanks for verifying! We're of course aware of what XSS is. This was just an oversight on our part.
I also agree with you on the above mentioned logout issue. We should change it to be POST only.
Unfortunately we do not offer bug bounty but your help is much appreciated none the less 🙂
One more thing:
Since https://beta.minecraft.net/logout/ works via a GET request, a potential attacker could remotely log you out (e.g. by embedding an <img> with that URL), before sending you the malicious link, thus forcing the login page to show up.
This is in itself not a bug, but in this case it increases the attack vector. Other than that it's just plain annoying (see http://superlogout.com/) and you might want to change it to POST-only.