Open Redirectors

An open redirector is an endpoint configured to redirect a user-agent based on the value of a parameter, without any kind of validation. Open redirectors can be exploited in Login with Amazon by attackers who fool users into authorizing access to the legitimate website, but when the authorization server redirects to the client, the open redirector sends it back to the attacker.

Login with Amazon client websites should ensure that the target of the redirection URI they use for authentication is not configured as an open redirector.

Some common patterns for open redirectors are:

  • example.com/go.php?url=
  • example.com/search?q=user+search+keywords&url=
  • example.com/coupon.jsp?code=ABCDEF&url=
  • example.com/login?url=