Top Open Redirect reports from HackerOne:
- [cs.money] Open Redirect Leads to Account Takeover to CS Money - 334 upvotes, $750
- XSS and Open Redirect on MoPub Login to Twitter - 225 upvotes, $1540
- Open Redirect in secure.showmax.com to Showmax - 222 upvotes, $550
- Open redirect at https://inventory.upserve.com/http://google.com/ to Upserve - 159 upvotes, $1200
- Open Redirect on central.uber.com allows for account takeover to Uber - 127 upvotes, $8000
- Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect to Twitter - 86 upvotes, $1120
- Open redirect vulnerability to Rockstar Games - 80 upvotes, $250
- Open redirect to Nord Security - 79 upvotes, $500
- Open Redirect to Affirm - 70 upvotes, $250
- Reflected XSS & Open Redirect at mcs main domain to Mail.ru - 67 upvotes, $1000
- [dev.twitter.com] XSS and Open Redirect to Twitter - 66 upvotes, $1120
- Open Redirect to Omise - 62 upvotes, $100
- Open redirection at https://chaturbate.com/auth/login/ to Chaturbate - 54 upvotes, $200
- Open Redirection in index.php page to HackerOne - 52 upvotes, $250
- Google API key leaks and security misconfiguration leads Open Redirect Vulnerability to Clario - 51 upvotes, $300
- Open Redirection in Login - Korean Starbucks to Starbucks - 51 upvotes, $0
- Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io to HackerOne - 51 upvotes, $0
- [crm.unikrn.com] Open Redirect to Unikrn - 49 upvotes, $50
- Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com to Twitter - 49 upvotes, $0
- Reflected xss and open redirect on larksuite.com using /?back_uri= parameter. to Lark Technologies - 46 upvotes, $500
- Open redirect using theme install to Shopify - 45 upvotes, $500
- Open redirect vuln on login to Vercel - 45 upvotes, $0
- [dev.twitter.com] XSS and Open Redirect Protection Bypass to Twitter - 43 upvotes, $1120
- Open redirect on https://hq-api.upserve.com/ to Upserve - 42 upvotes, $1000
- (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation to HackerOne - 41 upvotes, $0
- Open Redirect to Twitter - 40 upvotes, $420
- [keybase.io] Open Redirect to Keybase - 39 upvotes, $500
- Open redirect vulnerability in index.php to HackerOne - 39 upvotes, $0
- Open redirect protection (https://www.pixiv.net/jump.php) is broken for novels to pixiv - 38 upvotes, $200
- http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement to Nextcloud - 37 upvotes, $0
- (BYPASS) Open redirect and XSS in supporthiring.shopify.com to Shopify - 36 upvotes, $1000
- Open Redirect filter bypass through '' character via URL parameter to Myndr - 36 upvotes, $0
- Open Redirect Vulnerability on TikTok Ads Portal to TikTok - 36 upvotes, $0
- Host Header Injection leads to Open Redirect and Content Spoofing or Text Injection. to Omise - 35 upvotes, $300
- Open Redirect on Gitllab Oauth leading to Acount Takeover to Vercel - 34 upvotes, $0
- Open Redirection in [https://www.hackerone.com/index.php] to HackerOne - 32 upvotes, $0
- GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=] to Logitech - 31 upvotes, $100
- [http2.cloudflare.com] Open Redirect to Cloudflare Vulnerability Disclosure - 31 upvotes, $0
- Bypassing Content-Security-Policy leads to open-redirect and iframe xss to Stripo Inc - 31 upvotes, $0
- Open Redirect on https://go.bitwala.com/ to Nuri - 29 upvotes, $0
- Open redirect in bulk edit to Shopify - 28 upvotes, $500
- Open Redirect (verkkopalvelu.lahitapiola.fi) to LocalTapiola - 28 upvotes, $400
- Open redirect bypass & SSRF Security Vulnerability to Smule - 28 upvotes, $0
- Open Redirect и подмена ссылки в сниппете приложения VKMA to VK.com - 27 upvotes, $300
- Open Redirect through POST Request in OAuth to Moneybird - 27 upvotes, $50
- Open Redirect via login avito.ru | Protection bypass to Avito - 27 upvotes, $0
- Open Redirect & Information Disclosure [mijn.werkenbijdefensie.nl] to Radancy - 25 upvotes, $350
- Open Redirect at https://oauth.secure.pixiv.net to pixiv - 25 upvotes, $200
- [idp.fr.cloud.gov] Open Redirect to GSA Bounty - 25 upvotes, $150
- Open Redirection while saving User account Settings to Moneybird - 25 upvotes, $50
- Open redirect on the https://tt.hboeck.de to Hanno's projects - 25 upvotes, $0
- Open Redirect TO Stealing aadvid to TikTok - 24 upvotes, $500
- Open Redirect Protection Bypass to Twitter - 24 upvotes, $280
- Open redirect on chaturbate.com (tipping/purchase_success) to Chaturbate - 24 upvotes, $250
- Open redirect in semrush.com to Semrush - 23 upvotes, $150
- Open redirect on https://signin.rockstargames.com/connect/authorize/rsg to Rockstar Games - 23 upvotes, $150
- Open Redirect at *.myshopify.com/account/login?checkout_url= to Shopify - 22 upvotes, $500
- Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session to HackerOne - 22 upvotes, $500
- open redirect while login at https://apps.dev.jupiterone.io can leak access code. to LifeOmic - 22 upvotes, $350
- Steal any users
access_token
via open redirect in https://streamlabs.com/global/identity?popup=1&r= to Logitech - 22 upvotes, $200 - Open Redirect to Semrush - 22 upvotes, $100
- Open redirect at app.goodhire.com via ReturnUrl parameter to Inflection - 21 upvotes, $750
- Instant open redirect on Live preview WEB Ide opening to GitLab - 20 upvotes, $1000
- CBC "cut and paste" attack may cause Open Redirect(even XSS) to Uber - 20 upvotes, $500
- use of unsafe host header leads to open redirect to Rockstar Games - 20 upvotes, $300
- Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft to Rockstar Games - 19 upvotes, $750
- Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor to Shopify - 19 upvotes, $500
- Open Redirect through POST Request to Inflection - 18 upvotes, $350
- Open redirect в карусели сообщения бота to VK.com - 18 upvotes, $300
- Open Redirection leads to redirect Users to malicious website to Unikrn - 18 upvotes, $50
- Open redirection to New Relic - 18 upvotes, $0
- Open Redirect on smule.com to Smule - 18 upvotes, $0
- Open Redirect (6.0.0 < rails < 6.0.3.2) to Ruby on Rails - 17 upvotes, $1000
- Open Redirect to Inflection - 17 upvotes, $350
- Open Redirect - www.shopify.com to Shopify - 17 upvotes, $0
- Open redirect using checkout_url to Shopify - 16 upvotes, $500
- XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth to Mapbox - 16 upvotes, $500
- [intensedebate.com] Open Redirect to Automattic - 16 upvotes, $75
- Open redirect on https://blog.fuzzing-project.org to Hanno's projects - 16 upvotes, $0
- Open Redirect to Mail.ru - 16 upvotes, $0
- Open redirect affecting m.rockstargames.com/ to Rockstar Games - 15 upvotes, $750
- Open Redirection Vulnerability in m.vk.com to VK.com - 15 upvotes, $300
- Limited Open redirection using SSO-SAML to HackerOne - 15 upvotes, $0
- [https://█████████/]&&[https://█████████/] Open Redirection to Lyst - 14 upvotes, $300
- Open Redirect on the nl.wordpress.net to WordPress - 14 upvotes, $50
- https://xmpp.nextcloud.com///;@www.google.com allows open redirect to Nextcloud - 14 upvotes, $0
- Open Redirect on Login Page of Stocky App to Shopify - 14 upvotes, $0
- Open redirect on marketing site to Shipt - 13 upvotes, $50
- Open Redirect on [My.com] to Mail.ru - 13 upvotes, $0
- [apps.shopify.com] Open Redirect to Shopify - 12 upvotes, $500
- Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi) to LocalTapiola - 12 upvotes, $450
- Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) to Starbucks - 12 upvotes, $375
- open redirect in eb9f.pivcac.prod.login.gov to GSA Bounty - 12 upvotes, $150
- open redirect in <your_zendesk>.zendesk.com to Zendesk - 12 upvotes, $100
- Open redirect on https://werkenbijdefensie.nl/ to Radancy - 12 upvotes, $50
- (BYPASS) Open Redirect after login at http://ecommerce.shopify.com to Shopify - 11 upvotes, $500
- Open Redirect on slack.com to Slack - 11 upvotes, $500
- Open redirect на мобильной версии в контакте (m.vk.com to VK.com - 11 upvotes, $300
- Open Redirect in unifi.ubnt.com [Controller Finder] to Ubiquiti Inc. - 11 upvotes, $260
- Stored open redirect in about page to Flickr - 11 upvotes, $150
- Open Redirect located at https://www.robinhood.com/oauth2/authorize/? to Robinhood - 11 upvotes, $100
- Goodhire Open Redirect to Inflection - 11 upvotes, $0
- Open Redirect In passport.maps.me/logout/?next=//fb.com/ to Mail.ru - 11 upvotes, $0
- Open redirect on rush.uber.com, business.uber.com, and help.uber.com to Uber - 10 upvotes, $500
- Open Redirect bypass and cookie leakage on www.lahitapiola.com to LocalTapiola - 10 upvotes, $400
- Open redirect in securegatewayaccess.com / secure.chaturbate.com via prejoin_data parameter to Chaturbate - 10 upvotes, $250
- [hekto] open redirect when target domain name is used as html filename on server to Node.js third-party modules - 10 upvotes, $0
- Open Redirect On Your Login Panel to Zomato - 10 upvotes, $0
- Open redirect open.rocket.chat/file-upload/ID/filename.svg to Rocket.Chat - 10 upvotes, $0
- Open redirect by the parameter redirectUri in the URL to BlackRock - 10 upvotes, $0
- Open redirection in OAuth to Shopify - 9 upvotes, $500
- Open Redirect in m.uber.com to Uber - 9 upvotes, $500
- Open Redirect in riders.uber.com to Uber - 9 upvotes, $500
- Open redirect GET-Based on https://www.flickr.com/browser/upgrade/?continue= to Flickr - 9 upvotes, $150
- [admin.c2fo.com] Open Redirect to C2FO - 9 upvotes, $0
- Open redirection in OAuth to Shopify - 9 upvotes, $0
- [Fix Bypass #541631] Open redirect on Signup to Vercel - 9 upvotes, $0
- Open Redirect in the Path of vendhq.com to Vend VDP - 9 upvotes, $0
- Open Redirect on Greater Asia domains to Starbucks - 9 upvotes, $0
- Open Redirect in www.shopify.dev Environment to Shopify - 9 upvotes, $0
- Open redirect in "Language change". to HackerOne - 8 upvotes, $500
- Open Redirection on Uber.com to Uber - 8 upvotes, $500
- Open redirection protection bypass (/cs/Satellite) to LocalTapiola - 8 upvotes, $400
- Open redirect helps to steal Facebook access_token to Bumble - 8 upvotes, $153
- Open Redirect in <customer>.greenhouse.io to Greenhouse.io - 8 upvotes, $100
- Open Redirection Found in users.whisper.sh to Whisper - 8 upvotes, $30
- Open redirect vulnerability to Slack - 8 upvotes, $0
- [zaption.com] Open Redirect to Zaption - 8 upvotes, $0
- [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect to Informatica - 8 upvotes, $0
- [connect.teavana.com] Open Redirect and abuse of connect.teavana.com to Starbucks - 8 upvotes, $0
- Reflected XSS via Unvalidated / Open Redirect in uber.com to Uber - 7 upvotes, $3000
- XSS and open redirect in verkkopalvelu.lahitapiola.fi to LocalTapiola - 7 upvotes, $450
- [BuddyPress 2.9.1] Open Redirect via "wp_http_referer" parameter on "bp-profile-edit" endpoint to WordPress - 7 upvotes, $275
- Open Redirect in meeting.qiwi.com to QIWI - 7 upvotes, $100
- Open redirect (DOM-based) on av.ru via "return_url" parameter (Login form) to Azbuka Vkusa - 7 upvotes, $100
- [cooking.lady.mail.ru] Open Redirect to Mail.ru - 7 upvotes, $0
- Open Redirect in shopify app URL to Shopify - 7 upvotes, $0
- Open Redirection on auth.rbk.money to RBKmoney - 7 upvotes, $0
- Open redirection in https://zeit.co/login?next= to Vercel - 7 upvotes, $0
- Open Redirect in comment section to ExpressionEngine - 7 upvotes, $0
- [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927 to New Relic - 7 upvotes, $0
- Potential Open-Redirection to Ian Dunn - 7 upvotes, $0
- Hong Kong - Open Redirect on card.starbucks.com.hk to Starbucks - 7 upvotes, $0
- Open redirection bypass in /www/admin/campaign-modify.php to Revive Adserver - 7 upvotes, $0
- Open Redirect on https://██.8x8.com/login?nextPage=%2F to 8x8 - 7 upvotes, $0
- Open Redirect possible in https://www.shopify.com/admin/ to Shopify - 6 upvotes, $500
- Open redirection on login to New Relic - 6 upvotes, $0
- [rabota.mail.ru] Open Redirect to Mail.ru - 6 upvotes, $0
- [ml.money.mail.ru] Open Redirect to Mail.ru - 6 upvotes, $0
- [qpt.mail.ru] CRLF Injection / Open Redirect to Mail.ru - 6 upvotes, $0
- Open Redirection at https://it.mail.ru/ to Mail.ru - 6 upvotes, $0
- Open Redirect at "city-mobil.ru" to Mail.ru - 6 upvotes, $0
- Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru] to Mail.ru - 6 upvotes, $0
- OPEN REDIRECT to Nutanix - 6 upvotes, $0
- Open Redirector via (apps/files_pdfviewer) for un-authenticated users. to ownCloud - 5 upvotes, $150
- [status.zopim.com] Open Redirect to Zendesk - 5 upvotes, $100
- Open Redirect vulnerability in moneybird.com to Moneybird - 5 upvotes, $50
- [skyliner.io / qa.skyliner.io] Open Redirect to Skyliner - 5 upvotes, $0
- Open Redirect in a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
- Open Redirect to Mail.ru - 5 upvotes, $0
- Open-redirect on login.xero.com to Xero - 5 upvotes, $0
- Open Redirect to Mail.ru - 5 upvotes, $0
- Open redirect while disconnecting authenticated account to Weblate - 5 upvotes, $0
- Open redirect while disconnecting Email to Weblate - 5 upvotes, $0
- Open redirects protection bypass to ExpressionEngine - 5 upvotes, $0
- Open redirect vulnerability in a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
- Open redirect deceive in hackerone.com via another open redirect link. to HackerOne - 5 upvotes, $0
- open redirect in rfc6749 to Internet Bug Bounty - 4 upvotes, $3000
- Open Redirect after login at http://ecommerce.shopify.com to Shopify - 4 upvotes, $500
- [qiwi.com] Open Redirect to QIWI - 4 upvotes, $150
- Unvalidated / Open Redirect to Zendesk - 4 upvotes, $100
- Open-redirect on paragonie.com to Paragon Initiative Enterprises - 4 upvotes, $50
- Open redirection bypass to New Relic - 4 upvotes, $0
- [marketplace.informatica.com] Open Redirect to Informatica - 4 upvotes, $0
- Login Open Redirect to New Relic - 4 upvotes, $0
- [Repository Import] Open Redirect via "continue[to]" parameter to GitLab - 4 upvotes, $0
- Cross Site Scripting and Open Redirect in affiliate-preview.php file to Revive Adserver - 4 upvotes, $0
- Open Redirect at https://www.nutanix.com/tw/login via icid parameter to Nutanix - 4 upvotes, $0
- Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi) to LocalTapiola - 3 upvotes, $400
- Open Redirection In connect.identity.stagaws.visma.com to Visma Public - 3 upvotes, $100
- CPU utilization 99% on visiting wordpress site url & open redirect found to Automattic - 3 upvotes, $75
- WebSummit - Open Redirect to WebSummit - 3 upvotes, $0
- Open redirection to New Relic - 3 upvotes, $0
- Open redirection bypass . to New Relic - 3 upvotes, $0
- [api.login.icq.net] Open Redirect to Mail.ru - 3 upvotes, $0
- [it.mail.ru] Open Redirect to Mail.ru - 3 upvotes, $0
- Open Redirect to New Relic - 3 upvotes, $0
- Open redirect to GitLab - 3 upvotes, $0
- Open Redirect via "next" parameter in third-party authentication to Weblate - 3 upvotes, $0
- Open redirect on sign in to Coinbase - 3 upvotes, $0
- [tanks.mail.ru] Open Redirect to Mail.ru - 3 upvotes, $0
- Open redirect in switch account functionality to Revive Adserver - 3 upvotes, $0
- Open Redirect leak of authenticity_token lead to full account take over. to Twitter - 2 upvotes, $1400
- Trick make all fixed open redirect links vulnerable again to Slack - 2 upvotes, $1000
- Open-redirect on hackerone.com to HackerOne - 2 upvotes, $500
- Host Header is not validated resulting in Open Redirect to IRCCloud - 2 upvotes, $100
- Open redirect - user interaction needed (verkkopalvelu.lahitapiola.fi/e2/..) - based on #179328 to LocalTapiola - 2 upvotes, $100
- Open Redirection in SmartHistory KhanAcademy to Khan Academy - 2 upvotes, $0
- Open Redirect via Request-URI to Yahoo! - 2 upvotes, $0
- XSS and Open Redirect on https://jobs.dubizzle.com/ to OLX - 2 upvotes, $0
- open redirection at login to New Relic - 2 upvotes, $0
- Open redirect in Signing in via Social Sites to Weblate - 2 upvotes, $0
- owncloud.com open redirect to ownCloud - 2 upvotes, $0
- OPEN REDIRECTION at every 302 HTTP CODE to Brave Software - 2 upvotes, $0
- Open redirect in Serendipity (exit.php) to Hanno's projects - 2 upvotes, $0
- China - Open redirect at trackinghub.starbucks.com.cn to Starbucks - 2 upvotes, $0
- Open redirection on secure.phabricator.com to Phabricator - 1 upvotes, $400
- Open redirection in fabric.io to Twitter - 1 upvotes, $280
- Open Redirect login account to Slack - 1 upvotes, $100
- Open redirect filter bypass to Zaption - 1 upvotes, $25
- Yahoo open redirect using ad to Yahoo! - 1 upvotes, $0
- https://www.khanacademy.org/login open-redirect to Khan Academy - 1 upvotes, $0
- open redirect in https://slack.com to Slack - 1 upvotes, $0
- Open Redirection to Urban Dictionary - 1 upvotes, $0
- Open redirect and reflected xss in http://youthvoices.adobe.com/community?return_url=[payload her] to Adobe - 1 upvotes, $0
- Open Redirect on [blog.wavecell.com] to 8x8 - 1 upvotes, $0
- Open redirect in ck.php and lg.php to Revive Adserver - 1 upvotes, $0
- Vulnerability Name: URL Redirection / Unvalidate Open Redirect to Reddit - 1 upvotes, $0
- open redirect sends authenticity_token to any website or (ip address) to Twitter - 0 upvotes, $560
- Open Redirect to WePay - 0 upvotes, $300
- OAuth open redirect to Respondly - 0 upvotes, $0
- Open redirect on tw.money.yahoo.com to Yahoo! - 0 upvotes, $0
- open redirect to RelateIQ - 0 upvotes, $0
- Open Redirect in Slack to Slack - 0 upvotes, $0
- Open Redirect in WordPress Feed Statistics {Affected All Versions} to Automattic - 0 upvotes, $0
- oauth redirect uri validation bug leads to open redirect and account compromise to WePay - 0 upvotes, $0
- Open Redirection Security Filter bypassed to Vimeo - 0 upvotes, $0
- Open redirect in fastify-static via mishandled user's input when attempt to redirect to Fastify - 0 upvotes, $0