Sometimes, you can’t even trust links with your own domain. As the Cybernews research team has discovered, some BMW subdomains were vulnerable to redirect vulnerability, enabling attackers to forge links leading to malicious sites through them.
Cybernews researchers have discovered two BMW subdomains that were vulnerable to SAP redirect vulnerability. They were used to access the internal workplace systems for BMW dealers and could have been useful to attackers for spear-phishing campaigns or malware distribution.
SAP redirect vulnerability is a security issue that affects web application servers for SAP products (SAP NetWeaver Application Server Java). This means that anyone could forge a redirect link using these subdomains by adding a string such as this:
The final URL would look like this:
“It allows an attacker to redirect a user to a malicious website or inject arbitrary content into a legitimate website. This can be done by manipulating the URL parameters of the affected SAP system,” Cybernews researchers explained.
While not critical, such a vulnerability opens many creative opportunities for phishers, targeting employees or customers.
“Imagine you get an email from your CEO or manager asking you to do something. The firewall won’t block the malicious link in an email as the domain is legitimate. If you open the link and enter your credentials, attackers suddenly gain access to deploy ransomware or for other deeds. This exploit could also be used for mass phishing campaigns, targeting customers,” our researchers said.
BMW fixes the vulnerability
Cybernews researchers immediately disclosed the vulnerability to BMW, and it was promptly fixed.
A BMW spokesperson assured us that information security is a top priority for the BMW Group, which applies to the company’s employees, customers, and business partners.
“After we identified the vulnerability, we acted to assess it and put the necessary actions in place to minimize a possible impact. As far as we know, the addressed vulnerability didn’t compromise BMW Group-related systems, nor was any data leaked or misused,” the spokesperson said.
They also explained that the BMW Group uses multi-level security controls when accessing internal systems, according to the principle: the more sensitive the data, the higher the security measures.
BMW is a German manufacturer of luxury vehicles headquartered in Munich.
How the redirect attacks work and how to avoid them
An SAP Redirect vulnerability and similar vulnerabilities usually cause web applications to redirect users to specified URLs. Those typically occur when web apps or components fail to properly validate or sanitize URLs before redirecting users.
This type of vulnerability, which affected BMW websites and other SAP systems, was first identified in 2012 but still poses risks to organizations even after applying security updates.
All attackers need to do is modify the URL value to redirect to a malicious site.
“Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance,” MITRE’s definition of the common weakness reads. “Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs.”
To address an SAP redirect vulnerability, Cybernews researchers recommend the following:
- SAP has released patches for the affected products that address the SAP redirect vulnerability. Applying these patches is the most effective way to mitigate the vulnerability.
- To prevent injection attacks and other vulnerabilities, developers should follow secure coding practices and guidelines, such as the Open Web Application Security Project (OWASP) Top 10.
- Regular security assessments can help identify vulnerabilities in systems and applications and allow for proactive remediation before attackers can exploit them.
“Security is an ongoing process, and companies should regularly review and update their security measures to ensure they remain effective,” researchers noted.
“Redirect vulnerabilities are significant security risks and can have a devastating impact on organizations.”
Users should also beware of clicking any links – even when the domain appears legitimate. Attackers still have other ways to deliver a malicious payload.