page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise

Bug reported by Natthakul Raingoen was disclosed at June 2, 2026, 3:30 am   |  

An open redirect vulnerability was identified in page.line.me because redirect destinations were not properly restricted to trusted domains. This vulnerability could have been abused within an OAuth 2.0 authorization flow to cause the authorization response to be sent to an attacker-controlled endpoint, potentially exposing the authorization code issued after successful user authentication.