A critical OAuth redirect bypass in the Aqara Cloud Authorization Endpoint (CVSS 9.3) allows unauthenticated attackers to perform phishing and credential theft via improper domain validation.

The endpoint is vulnerable to a redirect bypass due to lax controls on domain matching (CWE-1289). This flaw allows unauthenticated attackers to manipulate the redirect destination, effectively bypassing intended security controls during the OAuth authorization flow.

With a CVSS score of 9.3, this vulnerability poses a severe risk to user accounts. By redirecting users to attacker-controlled domains, adversaries can conduct effective phishing campaigns and steal sensitive authentication tokens, leading to unauthorized account access and potential data exfiltration from connected devices.

Immediate Action: Users should remain vigilant against suspicious login prompts and ensure they are only authenticating on verified domains. Contact the vendor for information on platform updates.

Proactive Monitoring: Review OAuth access logs for anomalous redirect patterns or attempts to redirect users to unauthorized external domains.

Compensating Controls: Implement strict Content Security Policy (CSP) headers and monitor for any abnormal traffic patterns directed away from authorized Aqara domains during the login process.

Public Exploit Available: Unknown

This vulnerability is a significant threat to user trust and account security. Organizations and users interacting with the Aqara Cloud OAuth service should exercise extreme caution and work with the vendor to confirm when a patch or configuration change is implemented to enforce strict domain validation.