X (Formerly Twitter): leaking Digits OAuth authorization to third party websites

Hi,

While authenticating digits to my Fabric account i have noticed that the callback_url is not solid i.e. any sub domain or any path is accepted as callback_url with host as fabric.io.
This issue can be exploited by leaking the authorization token to third party websites (websites mentioned on kit’s page)

Steps to reproduce:

• Go to https://www.digits.com/login?consumer_key=YlNgs6zwm4QLmrzJBwRK3FcR5&callback_url=https://fabric.io/kits/ios/stripe&host=https://fabric.io
• Give access to Digits
• Now you will be redirected to https://fabric.io/kits/ios/stripe
• While on stripe kits page click on the stripe website URL (https://stripe.com)
• The authorization token will be leaked to stripe.com
  {F118436}

This issue can also be exploited on our organization member by actually leaking the consumer secret to our domain.

Steps to reproduce

• Add the victim to your organization
• Create an crash issue under fabric
• add a note to that issue for ex: https://wesecureapp.com
• Note down the issue URL
  {F118437}
  Ex: https://fabric.io/img-srcx-onerrorprompt15/android/apps/app.myapplication/issues/56207e21f5d3a7f76bd5c20c
• Change the call back URL to issue url
  https://www.digits.com/login?consumer_key=YlNgs6zwm4QLmrzJBwRK3FcR5&callback_url=https://fabric.io/img-srcx-onerrorprompt15/android/apps/app.myapplication/issues/56207e21f5d3a7f76bd5c20c&host=https://fabric.io
• Give digits permission
• You will be redirected to issue
• Now click the link in the notes and the OAuth token will be leaked to the attacker controlled domain.
  {F118438}

Regards,
Akhil