Coinbase: open authentication bug

ID H1:48065
Type hackerone
Reporter ckmk44
Modified 2015-03-11T16:19:22


Hi, If developer registers one of the three url's with out http protocol ( in oauth registration then he would be redirected to makes the user to redirect to another site than the real application.Attacker could take advantage of this and steal the token using that site as a medium. Type:Oauth impact:high authentication:yes this works if developer does a mistake but the vulnerability lies in the coinbase oauth. Proof of concept:

Thank you, prashanth varma