$840 Bounty: How I Stole OAuth Tokens from Twitter
1 min read
Summary
A security researcher uncovered a vulnerability in Twitter’s integration with Microsoft Outlook OAuth that allowed them to steal OAuth tokens and access user data.
The vulnerability stemmed from a misconfiguration in the redirect URIs specified by the OAuth application, allowing for a broad range of URLs under the twitter.com domain, and not limiting the redirect to only known hosts and paths.
This meant that after authorisation, when Microsoft’s OAuth system redirected the researcher, it would include an access token allowing the researcher to seize control of the user’s Twitter account.
Twitter has since fixed the issue and awarded the researcher an $840 bounty as confirmation for finding the vulnerability.
This story serves to highlight how important it is for developers to configure OAuth correctly and limit the listed redirect uris to only those absolutely necessary, to prevent such security issues.