Open Redirect in Flattr

Reported a low impact Open Redirect to Flattr
  • Posted on: 2020-06-11 05:12
  • Reading Time: 1 min
  • Share on:
    Y Combinator
    Reddit
    Mastodon

Table of Contents

This bug in Flattr was a low-impact Open Redirect that allowed an attacker to redirect the victim after authorizing Twitter.

PoC

Visit the URL

https://flattr.com/settings/connect/twitter?redirect=https://eval.blog

After authorization, user will be redirected to eval.blog.

Disclosure Timeline

DatetimeLog
5th June, 2020Vulnerability was found
Contacted Flattr on Twitter for responsible disclosure
9th June, 2020Reported vulnerability
11th June, 2020Vulnerability fixed
Publicly disclosed