Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Security report: Open redirect at

Report ID: teamwork-2019-01-18a

Researcher name: Julien Cretel

Researcher email:

Report date: 18/01/2019

Status: fixed (18/01/2019)


I've found an open-redirect vulnerability on The endpoint of interest is, where the value of query parameter code doesn't seem to be validated in any way.

Risks & threats

This vulnerability can be exploited by attackers to mount phishing attacks against (possibly high-value) Teamwork users in order to

  • steal their Teamwork credentials;
  • install malware on their machines.

Example attack scenario: stealing Teamwork credentials

  1. The attacker designs a malicious website to look like the Teamwork Projects login page, and serves it at Note: the attacker may use a domain name more similar to (e.g.
  2. The attacker performs some reconnaissance on Teamwork users and acquires some high-impact targets. Some "misfeatures" of the Teamwork Web app make this relatively easy (more details about this available on demand).
  3. The attacker shares the following crafted URL with the victim, either by email or from within one of the Teamwork products. Note: the attacker may hex-encode the query parameter in order to obfuscate it.
  4. The victim follows the link.
  5. The victim clicks the Go to Projects button, and immediately gets redirected to, which looks like the Teamwork login form.
  6. The victim fills the login form and submits it, thereby handing over her Teamwork credentials to the attacker.

This (unlisted) video illustrates such an attack.


OWASP's cheat sheet dedicated to this type of vulnerability provides some guidance.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment