This report was fully disclosed on 16 March 2021
On 16 December 2020 an open redirect vulnerability was found on
canadiantire.ca. Due to a lack of input filtering and validation it is possible for a user to be directed to the trusted web application but subsequently be redirected an arbitrary URL.
Impact: An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application.
About CanadianTire: “Canadian Tire Corporation Limited is a Canadian retail company which operates in the automotive, hardware, sports, leisure and housewares sectors”
Proof of Concept
Visit the affected URL listed below. Optionally replace the contents of the
emailVerificationLink parameter with an attacker controlled URL, in this case we used
https://glitchwitch.io/ as a proof of concept.
This vulnerability was originally discovered from a suspicious looking email that was automatically flagged as spam/phishing. The email in question was sent to a single use email provided during an online purchase on
canadiantire.ca in 2018 while travelling, it was received from
[email protected] and included the link
While the email appears to be a legitimate email from Canadian Tire, it is in fact sent by the third party company
Gigya.com, a “customer identity management platform”.
This email demonstrates a perfect example of how an attacker could mimic an authentic email from Canadian Tire and trick unsuspecting users into providing sensitive content such as personal information, passwords, or even financial details.
At this time it has not been confirmed if the email was legitimate in nature, however if it were authorized by Canadian Tire a serious review of this practice should be undertaken as it could lead users to trust emails from illegitimate third parties claiming to be Canadian Tire.
No security.txt or other security contact information was found on the main site, corporate information site, or the cyber security recruitment site.
Initial contact with a request for the appropriate information security teams contact info was made on 16 December 2020. Additionally messages requesting the same were sent via email and LinkedIn to employees working within the Information Security and Cyber Security departments of the company. At the time of publishing, no response has been received.
- 16 December 2020: Affected Party Notified
- 16 March 2021: Report Published (+90 days)