Twitter: [Critical] - Steal OAuth Tokens

ID H1:131202
Type hackerone
Reporter paulos_
Modified 2016-07-11T18:03:59



This bug is caused because of the same mis-configuration as #128119. Only this time Microsoft Outlook auth is vulnerable instead of Facebook. this time I will try to be as clear as possible. after sign up of Twitter, Twitter asks users to import contacts (and it only requires on authorization) - or simply going to will do that.

I believe you have configured your oauth redirect_uri as in your app settings. Meaning Microsoft will accept: - as valid - as valid - as valid - as valid

So the forumla of a valid redirect_uri for twitter app is http(s?)://

Okay, so now we make an open redirect. redirects to and qualifies to bypass http(s?):// and we will add %2523 behind it like for microsoft to decode and send as a Hash %2523 -> %23 -> # with our stolen access_token.

We can then obtain this token using location.hash and all the user had to do is a single click (if already authorized - lots of people have)

To make things more clear, here is unlisted YouTube video to demonstrate how this works: (also attached)

Thanks, Paulos