Open Redirect on central.uber.com allows for account takeover
Discovered by ngalog on Uber

This issue took 2 Days and 9 hours to triage and 51 Days and 19 hours to resolve once triaged.



An error in our OAuth2 flow for <code>central.uber.com</code> allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into <code>central.uber.com</code>, the <code>state</code> parameter for login.uber.com contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned <code>central.uber.com</code> path which would redirect to a custom domain after login and allow them to steal an account OAuth access token.

Thanks, <a href="/ngalog">@ngalog</a>!