This report was fully disclosed on 16 March 2021

Summary

On 16 December 2020 an open redirect vulnerability was found on canadiantire.ca. Due to a lack of input filtering and validation it is possible for a user to be directed to the trusted web application but subsequently be redirected an arbitrary URL.

Impact:​ An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application.

About CanadianTire: “Canadian Tire Corporation Limited is a Canadian retail company which operates in the automotive, hardware, sports, leisure and housewares sectors”

Proof of Concept

Visit the affected URL listed below. Optionally replace the contents of the emailVerificationLink parameter with an attacker controlled URL, in this case we used https://glitchwitch.io/ as a proof of concept.

https://www.canadiantire.ca/en/email-activated.html?UID=null&emailVerificationLink=https://glitchwitch.io/

PoC GIF

Discovery

This vulnerability was originally discovered from a suspicious looking email that was automatically flagged as spam/phishing. The email in question was sent to a single use email provided during an online purchase on canadiantire.ca in 2018 while travelling, it was received from [email protected] and included the link https://www.canadiantire.ca/en/email-activated.html?UID=REDACTED&emailVerificationLink=https://accounts.us1.gigya.com/accounts.verifyEmail?apiKey=[REDACTED]

While the email appears to be a legitimate email from Canadian Tire, it is in fact sent by the third party company Gigya.com, a “customer identity management platform”.

This email demonstrates a perfect example of how an attacker could mimic an authentic email from Canadian Tire and trick unsuspecting users into providing sensitive content such as personal information, passwords, or even financial details.

At this time it has not been confirmed if the email was legitimate in nature, however if it were authorized by Canadian Tire a serious review of this practice should be undertaken as it could lead users to trust emails from illegitimate third parties claiming to be Canadian Tire.

Email

Remediation Status

No security.txt or other security contact information was found on the main site, corporate information site, or the cyber security recruitment site.

Initial contact with a request for the appropriate information security teams contact info was made on 16 December 2020. Additionally messages requesting the same were sent via email and LinkedIn to employees working within the Information Security and Cyber Security departments of the company. At the time of publishing, no response has been received.

Timeline

  • 16 December 2020: Affected Party Notified
  • 16 March 2021: Report Published (+90 days)