Twitter: XSS and Open Redirect on MoPub Login

ID H1:683298
Type hackerone
Reporter jackb898
Modified 2019-09-24T23:18:02


Summary: I found open redirect at the MoPub login page, It also allows javascript URIs, leading to XSS.

Description: You can modify the "next" URL parameter to redirect to any website upon logging in on MoPub.

Steps To Reproduce:

  1. Take this URL:
  2. Change "" to whatever URL you want to redirect to.
  3. Visit the URL and login
  4. You will be redirected to that site

Impact: Outlined in Impact section below

Supporting Material/References:

Here's a proof of concept using the URL javascript:alert("proof of concept"): {F568245}


An attacker could use this for phishing, cookie jacking, etc. since it allows javascript URIs and therefore XSS vectors. Additionally, they could use URL encoding to hide the URL that the victim is being redirected to.