⚠️ Zomato MCP Auth Helper — SECURITY RESEARCH POC

This is NOT a real tool. This is a proof-of-concept VS Code extension created as part of a responsible security disclosure (bug bounty) demonstrating a critical OAuth authorization code interception vulnerability in Zomato's MCP OAuth server (mcp-server.zomato.com).

What This Demonstrates

This extension proves that an attacker can steal OAuth authorization codes from Zomato's MCP server by:

1. Exploiting a redirect_uri validation bypass (server accepts https://vscode.dev/redirect)
2. Chaining through vscode.dev/redirect's open redirector to a vscode:// URI
3. VS Code's URI handler auto-prompts to install this extension when the URI arrives
4. The extension's handleUri() receives the full OAuth authorization code

Attack Chain

Attacker crafts link → Victim authenticates on Zomato → vscode.dev/redirect 302s to vscode:// →
VS Code opens → Extension installs → handleUri() captures auth code → Exfiltrated

Vulnerabilities Demonstrated

• redirect_uri bypass: Server accepts https://vscode.dev/redirect instead of only localhost
• Open redirector: vscode.dev/redirect forwards to vscode:// URIs with auth code appended
• No PKCE enforcement: Captured code can be exchanged without code_verifier
• Shared credentials: All clients share client_secret: Z-MCP
• WAF bypass: Token exchange via POST /tok%65n

Responsible Disclosure

This extension is part of an authorized bug bounty submission. It is clearly labeled as a security research PoC and will be unpublished after the vulnerability is addressed.

DO NOT INSTALL

This extension sends captured data to a researcher-controlled webhook. It exists solely to demonstrate the vulnerability. Do not install this extension unless you are the security researcher conducting this test.