Affects Version/s: None
Fix Version/s: None
In a recent veracode scan of the mobile application, we found a medium vulnerability:
Insufficient Input validation
Weaknesses in this category are related to an absent or incorrect protection mechanism that fails to properly validate input that can affect the control flow or data flow to a program.
Validate input from untrusted sources before it is used.
Associated flaws by CWE ID:
URL redirection to untrusted sitte ('open redirect') (CWE ID 601)
A web application accepts a user-controlled input that specifies a link to an external site and uses that link to generate a redirect. This enables phishing attack.
Recommendation is to always validate user-supplied input to ensure it confirms to the expected format, using centralized data validation routines when possible. Check the supplied URL against a whitelist of approved URLs or domains before redirecting.
InAppBrowser.java: 447 and 449