Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Security vulnerability: New Passport feature can leak the client's IP address #5020
Steps to reproduce
There should be a warning before navigating to the callback if the user cancels the authentication
There is no such warning, the user can't escape leaking their IP, short of closing the entire app.
The link isn't even exactly 'malicious'. It is a resolve/?domain=telegrampassport link.
--- Copy pasted from the email sent to email@example.com ---
This link contains a callback field with an external URL.