An error in our OAuth2 flow for <code>central.uber.com</code> allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into <code>central.uber.com</code>, the <code>state</code> parameter for login.uber.com contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned <code>central.uber.com</code> path which would redirect to a custom domain after login and allow them to steal an account OAuth access token.
Thanks, <a href="/ngalog">@ngalog</a>!
For the community, by the community