Thinkific Open Redirect Scanner

Thinkific is an online platform that allows users to create and sell courses on the internet. It is commonly used by educators, entrepreneurs, and businesses to provide e-learning solutions. Users can customize their course sites, and manage student enrollments and progress. The platform supports multimedia content, quizzes, and certificates to enhance the learning experience. Thinkific is popular due to its user-friendly interface and robust set of features catering to varied audiences. It’s designed to help users easily monetize their knowledge and expertise.

An Open Redirect vulnerability allows an attacker to craft a URL that, when visited, will redirect the user to a different website. This type of vulnerability can be exploited to facilitate phishing attacks by convincing users they are visiting a trusted site when they are being redirected elsewhere. It may also be used to obtain sensitive information or credentials by redirecting to a malicious site. The vulnerability is often found in URL parameters that are not properly validated. Open Redirects can compromise user trust and application integrity.

In the case of Thinkific, the vulnerability arises due to improper validation of the 'error_url' parameter in the JWT-based SSO endpoint. Attackers can exploit this by appending a malicious URL to the request, leading to an unintended redirection. The vulnerability is triggered when the server responds with a 302 status code and includes a crafted URL on the response body or header. Understanding the endpoint and parameter behavior is crucial for exploiting and mitigating these types of vulnerabilities. This technical flaw could be patched by ensuring that URL parameters are validated correctly against a whitelist of permitted domains.

If exploited, this vulnerability could lead to users being redirected to phishing sites that mimic the legitimate Thinkific site. Such sites can be used to steal login credentials, financial information, or other sensitive data by tricking users into entering information into a fraudulent form. Additionally, attackers might redirect users to sites hosting malware, further endangering the integrity of users’ devices and data. The breach of trust could also damage Thinkific’s reputation, and breach agreements or legal obligations regarding data protection and user privacy.

REFERENCES

• https://gitlab.austinoneil.com/aoneil/bb-automation/-/blob/master/tools/nuclei-templates/vulnerabilities/other/thinkific-redirect.yaml