X (Formerly Twitter): Bypassing Digits web authentication's host validation with HPP

Hi, I would like to report an issue on Digits web authentication which allows attackers to retrieve the OAuth credential data of an application victims authorized. Detail As described in 108429, the login page has 2 parameters, consumerkey and host. The former identifies which app a user wants to...