Potential security issues with OAuth were questioned after a researcher discovered a vulnerability on Periscope’s Twitter app, which could enable the takeover of users’ accounts.
Publishing his findings on HackerOne, Ron Chan said logging into Periscope TV through Twitter was susceptible to a host header attack that could result in a victim’s credentials being stolen.
Host header attacks are used for password reset or cache poisoning because they require an out of band attack channel. Chan discovered that he could use Periscope’s OAuth system as such a channel, provided his victim has accounts.
Ron Chan added that after changing the host header, an attacker is able to send the OAuth authorization link to their victim and obtain the user’s account details via the token that is issued.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. If you see a comment that you believe is inappropriate to the discussion, you can bring it to our attention by using the report abuse links. As the comments are written and submitted by visitors of the The Paypers website, they in no way represent the opinion of The Paypers.