Hi,
While authenticating digits to my Fabric account i have noticed that the callback_url is not solid i.e. any sub domain or any path is accepted as callback_url with host as fabric.io.
This issue can be exploited by leaking the authorization token to third party websites (websites mentioned on kitβs page)
Steps to reproduce:
This issue can also be exploited on our organization member by actually leaking the consumer secret to our domain.
Steps to reproduce
Regards,
Akhil