Hello,
Thanks for your concern. I've verified that neither of these are actually possible.
We don't allow redirects to other domains off of auctiva.com in that parameter. Also, there is security in place to prevent tampering of the URL during the token generation process.