[Bug] [Security flaw] Faceit Integration Settings allows custom urls


#1

When setting your social networks in Integration Settings there is no filter about the URLs submitted into the fields, as you can see in the attached photo. An attacker could put a masked/shortened url (bit.ly or goo.gl) to redirect to malicious websites, leading to a scam website clone and steal user data using Facebook, Youtube and Twitter clones.

I think this is a security flaw that should be fixed.

In the attached image you can see that i can set any url for the Social Media profiles, instead of allowing @username style urls or “http://twitter.com/{username}” style urls.

This is my profile url, where you can see that i have those urls set, which lead not to Twitter, Facebook or Youtube, buy instead do to porn websites through a shortened url: https://www.faceit.com/en/players/Traber


#2

Hey @Traber - thanks for reporting this. There is already a planned fix for this in the works, but thanks for so clearly demonstrating your point by making one of developers shout loudly, followed by a slack message of “btw, don’t click his social links. They’re totally NSFW.”


#3

my eyes :see_no_evil:


#4

Thanks for the response, i hope i did not cause any trouble to that developer hahahaha.

I will be awaiting for the fix :wink:

Greetings!