Nayanjyoti Roy

We have been contacted by Nayan who warned us about a vulnerability he had detected: open redirection. Posts on Reebels often quote entities, with a link attached. Let's say a post quoting Wikihow with link https://fr.wikihow.com Before, when you clicked on Wikihow's link, your browser first headed to https://www.reebels.com/outbound?url=https://fr.wikihow.com And milliseconds later to https://fr.wikihow.com This could have been used by a phishing attacker. How? Sending an email with a link https://www.reebels.com/outbound?url=http://attacker-site.com/phishing-page The user, trusting the url reebels.com, could have clicked and would have been redirected to http://attacker-site.com/phishing-page This could have been a phishing page with a trustworthy appearance (looking like Reebels), asking the visitor to enter their credentials, to steal them! Thank you Nayan for having contacted us, your rigorous description and ethics have been much appreciated!