Open Redirect on allows for account takeover
Discovered by ngalog on Uber

This issue took 2 Days and 9 hours to triage and 51 Days and 19 hours to resolve once triaged.

An error in our OAuth2 flow for <code></code> allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into <code></code>, the <code>state</code> parameter for contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned <code></code> path which would redirect to a custom domain after login and allow them to steal an account OAuth access token.

Thanks, <a href="/ngalog">@ngalog</a>!