Covert Redirect – Wikipedia

Covert Redirect is a class of security bugs disclosed in May 2014.[1] It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation.[2]


Covert Redirect is also related to single sign-on. It is well known by its influence on OAuthand OpenID. Covert Redirect was found and dubbed by a mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.[3]

After Covert Redirect was published, it is kept in some common databases such as SCIP,OSVDB, Bugtraq, etc. Its scipID is 13185,[4] while OSVDB reference number is 106567.[5]Bugtraq ID: 67196.[6]