Respondly: OAuth open redirect

2014-04-17T19:42:40
ID H1:7900
Type hackerone
Reporter melvin
Modified 2014-04-22T00:01:46

Description

An attacker can use an open redirect vulnerability in the Twitter OAuth process to redirect someone to his/her webpage, while also obtaining the OAuth token and verifier of the victim.

The vulnerability is right here: https://app.respond.ly/_oauth/twitter/?requestTokenAndRedirect=https://hackerone.com. When someone authorizes their Twitter account using that URL, the redirect will go to https://hackerone.com.

Recommendation: make sure the requestTokenAndRedirect paramater only accepts hosts on whitelisted domains.