Domain spoofing in redirect page using RTLO

**Summary:** Hello, Domains can be spoofed on redirect page using RTLO. **Description (Include Impact):** Using `http://[email protected]` & `RTLO` method, i found a way where redirect page host detection can be spoofed #Steps 1. Insert this on report `[Just Click Here](https://google.com@%E2%80%[email protected])` 2. On click of link, it will redirect to `/redirect` page . Here you will see that `Twitter.com` is highlighted domain. see screen shot below 3. Ideally, if there is any malformed url, it shows some kind of warning but not in this case. 4. Click on `Proceed` button and you will be redirected `https://moc.rettiwt/` instead ### Browser version, Device, etc Tested on chrome for Mac but should work in all browsers #POC link https://google.com@%E2%80%[email protected] ###Screenshots {F248121} ## Impact This can be used to spoof urls on hackerone Regards, Ashish