Cross domain token based multifactor scheme on job application site

Septimiu

Hello community,

I recently got the following error on a redirect scheme I was already suspicious about:

The site is a job application site from a company called MindPal. I have moderate intuition about how tokens are passed around a backend, which made me notice an irregularity in the following UX scheme:

1. I applied to two jobs without authenticating on (app.mindpal.co)
2. I got a confirmation email
3. I got an email from a different domain name (possible cross-domain tenancy) from mindpal.info
4. I went back to authenticate to app.mindpal.co and created my account
5. I got another email from mindpal.info saying "You have already applied with us", with an activation link that I pasted above, which got blocked

Thereafter, I checked the registrar information using whois and noticed a few differences between mindpal.co and mindpal.info , which I can't assess all that well.

I am wondering why they are implementing a "click to activate your profile" link from a different domain soon after which you are asked to create your password for the first time. It seems this would be vulnerable to numerous XSS or other injection types.

I will attach below images of the emails. Is this not excessive UX declaration? Adding some constraints to the available functionality might increase the security, of course at the cost of ease of use. Had the Bitdefender error not appeared I would not have minded as many user interfaces these days are "click and don't think with extra animations". 😄

P.S: I also tried refreshing my VPN certificates from different connections in between operations as I was noticing the bitmask differences.

Alexandru_BD

Hello @Septimiu,

This detection comes from the Online Threat Prevention security module. This antivirus feature ensures a safe browsing experience by alerting you about potential malicious webpages.

I appreciate your detailed feedback concerning the page and I think this should be brought to the attention of the security researchers via the regular Support channels. They can do a proper background check and find out exactly what's happening there. My recommendation is to get in touch with the Support engineers to report this detection and provide them with the link to this thread, for reference. They will then proceed to forward the information to the Bitdefender Labs for further investigation, if necessary:

https://www.bitdefender.com/consumer/support/help/

Scroll down to state your contact reason, then choose from the available contact channels, chat, phone and email/ticket. Chat would be the fastest way to reach them.

If possible, kindly share the outcome with the community as well, this may help other users that encounter this in the future.

Regards,

Alex

Septimiu

Hi @Alexandru_BD,

Thank you so much for your suggestion. After receiving the initial feedback, I decided to return with some notes.

The support ticket from the labs notified me that everything works correctly, and apparently this is an expired certificate.

While I am glad to hear that it is not a more serious certificate issue (one that might affect root CAs), I would like to mention that an expired certificate, in my opinion, can be a symptom of some other things that go wrong, and that people should be careful about. For the following reasons, try to consider using alternate tools before consenting to an invalid certificate:

1. An expired certificate might indicate incorrect or overloaded business processes. If this is one symptom visible from the outside, who knows what else is not functioning properly with that entity.
2. This expired certificate is part of a platform that uses multiple top level domains. `.co, .com, .space, .info` to name the least. I would be concerned of cross-scripting vulnerabilities appearing, even if there aren't detectable in the present, because it indicates segregated tenancy and decentralized governance.
3. The application site that I used asked me to record an introductory video of myself. Would I really trust that the GDPR applies to all domains, or that the entity I consent to owns all domains? Even if I trusted that, the expired certificate shows that they might already be too overloaded to handle my data seriously, and with today's generative AI they could gain a quick buck out of it.

So yes, just an expired certificate for me. Is that also the case for the website tenant, or are there more scenarios that could arise?

Looking forward to any future insights.

Regards,

Tim