After finding an open redirect in Datalore’s endpoint for authenticating via JetBrains, the author dug into the auth process to see if it could be turned into an attack. They discovered that if an auth_url parameter was specified (which had to be a valid jetbrains subdomain), Datalore would send the user as as well as their JWT token to the given URL. This URL could include the very page which had this open redirect issue. By setting the auth_url to the open redirect page and passing in an attacker-controlled JetBrains JWT token, an attacker could get both the victim’s Datalore token and the attacker’s own JetBrains token sent to a malicious site.

Patch The open redirect was fixed, and the legacy authentication process was removed all together, instead relying on Oauth with JetBrains accounts as an identity provider.