Open URL Redirect Microsoft Approved MSRC Validated

Summary: A critical URL redirect vulnerability was discovered on the Microsoft Learn user registration page, which could allow an attacker to redirect users to malicious websites or applications. This vulnerability exists in the redirect Url parameter of the registration page’s URL, which does not properly validate or sanitize user-supplied input, allowing for arbitrary URL redirection.
Vulnerability Details: The redirect Url parameter on the Microsoft Learn user registration page (https://learn.microsoft.com/en-us/users/register) is used to specify the URL that users will be redirected to after successfully registering a new account. The vulnerable URL is https://learn.microsoft.com/en-us/users/register?redirectUrl=calculator://open, where the calculator://open part is vulnerable to URL redirection attacks.
Attack Scenario: An attacker can exploit this vulnerability by creating a malicious URL and sending it to potential victims, for example, via phishing emails or social engineering attacks. The malicious URL could be disguised as a legitimate Microsoft Learn registration page, but with the redirect Url parameter set to a malicious URL, such as https://attacker.com/malicious-page. When a victim clicks on the malicious URL and registers a new account on Microsoft Learn, the redirect Url parameter will redirect them to the attacker’s malicious page.
Impact: The impact of this vulnerability could be severe. An attacker could redirect users to malicious websites or applications, leading to various malicious activities, such as stealing sensitive information, spreading malware, or conducting further attacks. For example, the calculator://open URL scheme could be abused to launch arbitrary applications on the victim’s device, potentially allowing the attacker to execute arbitrary code with the victim’s privileges.
Recommendation: To mitigate this vulnerability, Microsoft should implement proper validation and sanitization of the redirect Url parameter on the user registration page. Specifically, Microsoft should ensure that the redirect Url parameter only allows whitelisted URLs or restricts it to a specific domain or protocol, such as https://learn.microsoft.com. Additionally, Microsoft should provide user awareness training to educate users about the risks of clicking on unknown or suspicious URLs and to encourage them to verify the legitimacy of URLs before clicking on them.