Robinhood: Open Redirect located at

ID H1:206811
Type hackerone
Reporter jon_bottarini
Modified 2017-04-13T17:40:06


Robinhood's OAuth2 authorization endpoint allowed arbitrary redirect URIs to be specified. While the actual OAuth2 code was not sent to the third party URI, the user was still redirected to the URI resulting in an open redirect vulnerability. This has since been fixed to show the proper error responses.