Responsible Disclosure: arXiv - redirect on login

on · · 1 comment · 300 words · read ~103 times.

Suppose you are sent a link to a website - e.g.

But, before you can access it, you need to log in. So the website redirects you to:

If you get the password right, you go to the original page you requested. Nice!

But what happens if someone manipulates that query string? Suppose an adversary sends you a link like this:

A sensible redirection system should say "Hang on a minute! Only internal redirections are allowed. I'd better stop this tomfoolery."

Sadly, that's not always the case. Take, for example, - a website for academics and researchers to share papers.

I discovered that a URl like this - - would redirect a logged in user to any external site.

A malicious user could redirect users to a phishing page - and steal their credentials. Or send them to a site with malware etc.

The fix is pretty simple. Any redirection logic should ensure that users can only be redirected to an internal page not an external site.


  • 2023-04-18 - discovered. Opened a bug on GitHub asking for a way to privately disclose. Shortly afterwards, I received an email address and sent my findings.
  • 2023-04-19 - Sent a screencast showing the open redirect. Issue confirmed by the developer.
  • 2023-04-24 - a fix was proposed which solved some of the issues but not all of them.
  • 2023-05-02 - final fix pushed
  • 2023-05-19 - this post automatically published.

Share this post on…

One thought on “Responsible Disclosure: arXiv - redirect on login”

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.