Be careful with phishing

You have just become part of a phishing attack through an open redirect of your identity provider!

But don't worry, we won't steal any of your valuable data!

This page is only intended to illustrate how easy it can be to gain access to sensitive information or system accesses through an open redirect of an identity provider.

What is an open redirect attack?

An open redirect attack involves the attacker being able to modify the redirect URL and point it to their own URL.

A redirect URL is used by an identity provider (IDP) at various stages to direct the user back to the original web application after performing an action.

These are used for example in:

An OAuth login flow
A logout

If the identity provider does not take sufficient security measures, the attacker can use this to either display their own website to the user to request further input data or continue the login process and thus gain access to the system.

The following illustration shows an open redirect attack during the OAuth login process:

Your security is important to us

Security and privacy are topics that are particularly close to our hearts. We would be happy to analyze your applications and surrounding systems and advise you on which measures will protect your valuable data and users.