Logitech: Steal any users `access_token` via open redirect in https://streamlabs.com/global/identity?popup=1&r=

Heyy there, After reading the disclosed report 1178239, I started to look for bypasses but I found that it's restricted to only streamlabs.com and merch.streamlabs.com , providing any other domain or subdomain of streamlabs.com gives an error instead of the 302 redirect. From wayback machine...

Logitech: session takeover via open protocol redirection on streamlabs.com

Summary: Hi Logitech team, on streamlabs.com the endpoint: streamlabs.com/global/identity?popup=1&r=protocol://merch.streamlabs.com redirect any authenticated user to a arbitrary protocol, and it merge the redirect link with an accesstoken. F1281409 this means that if a malicious app that handle...