Stealing Users OAUTH Tokens via redirect_uri
State Resolved (Closed)
Disclosed publicly 2018-09-14T12:24:09.249Z
Reported To
Weakness Improper Authentication - Generic

submitted a report to BOHEMIA INTERACTIVE a.s. .

I would like to report an Open redirection on oauth redirect_uri which can lead to users oauth tokens being leaked to any malicious user.


During the OAUTH flow, the redirect_uri on is not properly validating that the URL given is proper, as such a bypass of filter is possible and hence thereby able to exfiltrate users oauth tokens to that nonexisting domain.

On clicking on Login on an OAUTH request is triggered to, the endpoint is checking if the Redirect_uri is starting with and not checking the ending bits, as such its possible to inject anything after that.

As an example i injected and the server's whitelist is bypasses and a redirect is performed to with the code and state values.

Steps to Reproduce

  • Login to any website in the scope
  • After Login access the following URL -
  • On accessing you will get redirected to with oauth access code and state, registering such domain is possible and when any loggedin user accesses the URL its possible to steal their oauth creds.

RAW Request

GET /api/auth?response_type=code& HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: cookieconsent_dismissed=yes; bi.accounts.connect.sid=s%3AEbOE7LAPYR9IJO8ocyKuhNoIx_qXNt7_.UWaqiLeZPbgCSPM5nTvWUY2HiRYUXzEjw%2BRPxP3optA; bi_store_auth_session=eyJpdiI6IkcxSWloOVwvdngyaVFjZE9WM012ZzZMRmpkY1VnN1wvOW5abnkyYlNBVklaMD0iLCJ2YWx1ZSI6IjRpUFRUNzFkNElkWkZWeUc4U2o1TkNBaytURlJnVEVyaVFlMTJEc1pjcFR6XC9wUjlHdjd2cDRNQXFaN3hlZjVodHFMaW84WVFxWVJvUG1DOE4xTmtqUT09IiwibWFjIjoiZmRkZThlYjliMmZhMjc4YzBhMWVjMThkN2UxOTc5NmY3MjQ1YTc0NGFlY2FmNGVlNDUwOTU4ZjZmMGU5YTMwMSJ9
Connection: close
Upgrade-Insecure-Requests: 1


Due to validation bypass in redirect_uri parameter in OAUTH flow, its possible to redirect authenticated users to arbitrary domains with their oauth credentials from which its possible to takeover their account.

Best Regards,


ethancruize Activities::Comment
My report contains clear steps to reproduce the vulnerability, I have mentioned the Impact in the impact section. Yes the domain affected is very much in scope.

ethancruize Activities::Comment
Hi has anyone looked into this yet?

freespirit Activities::BugResolved
Hello, this was an issue with a short-lived website that is now offline. But despite that, we have modified our filters so your link does not work anymore. As a token of thanks please accept this Steam Key for Arma 3: BEFXX-ZGL4P-4AQ6G


ethancruize Activities::Comment
Hi, its a high risk vulnerability since using this its possible to steal users oauth tokens, it really doesnt matter if the domain is short-lived. If an attacker knew this information he would have used this already and probably got accecss to users tokens

ethancruize Activities::AgreedOnGoingPublic
Let everyone see how "BOHEMIA INTERACTIVE" treats researchers efforts.

rvn Activities::Comment
Just to clarify, the reason the issue wasn't rewarded with a bounty is because it was eliminated before it got to the developer in question, effectively making it a duplicate. He did at least do some filter modifications so we could give out at least something for this. We still cannot reward duplicates, be it HackerOne's or internal duplicates.

rvn Activities::ReportSeverityUpdated

rvn Activities::AgreedOnGoingPublic
Disclosed as requested

rvn Activities::ReportBecamePublic