Vulnerability Summary
A Open Redirect vulnerability was identified within an OAuth authorization flow endpoint. The vulnerability occurs because the callback_url (or equivalent redirect parameter) is validated using an insecure string prefix match instead of exact parsing.
A critical Open Redirect vulnerability was identified within an OAuth authorization flow endpoint. The vulnerability occurs because the callback_url (or equivalent redirect parameter) is validated using an insecure string prefix match instead of exact parsing. An attacker can craft a specific URL containing a malicious domain that technically starts with the whitelisted string but resolves to the attacker's server (e.g., using authority confusion https://trusted.com@attacker.com/). The redirect, being part of an OAuth flow, could potentially leak sensitive response parameters to the attacker if chained with an authorization request.
Vulnerability Type: Open Redirect — OAuth callback validation bypass
Affected Component: OAuth Authorization Flow / Client Callback Validation
Affected Mechanism: Weak string matching (startsWith or similar prefix validation)
pyus3rA base64-encoded query parameter on a login/terms acceptance page was decoded and used directly in window.location.href with only protocol validation — no domain check. The writeup covers tracing the vulnerable code in the Angular bundle, crafting the payload, and why the legitimate branding makes this particularly effective for phishing.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3599248 by marioniangi
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In