This bug is caused because of the same mis-configuration as #128119. Only this time Microsoft Outlook auth is vulnerable instead of Facebook. this time I will try to be as clear as possible. after sign up of Twitter, Twitter asks users to import contacts (and it only requires on authorization) - or simply going to https://twitter.com/who_to_follow/import will do that.
I believe you have configured your oauth redirect_uri as twitter.com in your app settings. Meaning Microsoft will accept: - http://twitter.com as valid - http://anything.twitter.com as valid - https://twitter.com as valid - https://anything.twitter.com/path/?anything as valid
So the forumla of a valid redirect_uri for twitter app is http(s?)://.twitter.com/
Okay, so now we make an open redirect.
https://cards.twitter.com/cards/18ce53y6aap/yyms redirects to http://test.com and qualifies to bypass http(s?)://.twitter.com/ and we will add
%2523 behind it like https://cards.twitter.com/cards/18ce53y6aap/yyms%2523 for microsoft to decode and send as a Hash %2523 -> %23 -> # with our stolen access_token.
We can then obtain this token using
location.hash and all the user had to do is a single click (if already authorized - lots of people have)
To make things more clear, here is unlisted YouTube video to demonstrate how this works: https://youtu.be/apwbVpa2r6Y (also attached)