It uses the file:// protocol. If a web application has a "callback URL" or "image upload by URL" feature that isn't properly sandbox-restricted, an attacker can input this string to trick the server into reading its own internal files and sending the contents back to the attacker. Why This is "Useful" (from a Security Perspective)
Rachel's mind started racing. "And what file exactly?" she asked. callback-url-file-3A-2F-2F-2Fhome-2F-2A-2F.aws-2Fcredentials
Access keys often have high permissions. It uses the file:// protocol
[Attacker] ---> Sends OAuth Request with `file:///home/*/.aws/credentials` Callback ---> [Vulnerable App] | [Attacker] <--- Exfiltrates Plaintext AWS Secrets <--- App Reads Local File into Response <----+ 1. Arbitrary Callback Redirection callback-url-file-3A-2F-2F-2Fhome-2F-2A-2F.aws-2Fcredentials