Open Redirection in Oauth

Hi there,

I am fond of testing API. Whenever a bug bounty program launches their program first of all I look if they have an API or not. I have tested API of many websites like Mapbox ,Mediafire and found many issues.

Now I stumbled across a website I don't want to disclose the name of the website so lets call it Now in you can create an application and can get data from the users. They have different scope like email, phone number, address etc.

Now they are using Oauth for all this. I created an application and started testing the same.
As soon as i created the application client_id and client secret was provided to me (intended).

Now application only allows https url as the redirect_uri.  I white-listed an url and I was ready to go.

I have given the scope of email and tried the Oauth url they provided. Now what is actually going if you provide the wrong scope you will be redirected to the url given in the redirect_uri

Now according to RFC 6749

If the request fails due to a missing, invalid, or mismatching
   redirection URI, or if the client identifier is missing or invalid,
   the authorization server SHOULD inform the resource owner of the
   error and MUST NOT automatically redirect the user-agent to the
   invalid redirection URI

If the resource owner denies the access request or if the request
   fails for reasons other than a missing or invalid redirection URI,
   the authorization server informs the client by adding the following
   parameters to the query component of the redirection URI using the
   "application/x-www-form-urlencoded" format

lets take a scenario
There is a website and someone created an application with a white-listed url 

Now In the second paragraph of RFC6749 many dev misinterpret the word other than.
If the scope parameter is invalid then they directly redirect the user to that website without any interaction and thats how it works as on open redirect.

Now this can be used for phishing purposes or redirecting users to a malicious website

Now they say that this is how the Oauth works but actually if the scope is invalid then google and Facebook doesn't redirect their user to the website mentioned in redirect_uri facebook shows this type of error if the scope is invalid 

Now after all this I reported this bug to and they denied this by saying that this is how Oauth works. And after a long trail of comment they said we are going to operate our API according to RFC6749. thats it.

So everything is upto them if they want to make changes to protect their users of not.


And the mitigations that were provided by John Bradley,  Hannes Tschofenig you can found them here

Jitendra Kumar Singh(Team Computerkorner)
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!