Innovative host header attack bags $7,560 bounty

A new attack that utilizes the account authentication standard OAuth may affect other companies using a token-based login to link third-party social accounts.

Potential security issues with OAuth implementation came to light after a researcher discovered a vulnerability on Periscope’s Twitter app, which could enable the takeover of users’ accounts.

Publishing his findings on HackerOne, Ron Chan said logging into Periscope TV through Twitter was susceptible to a host header attack that could result in a victim’s credentials being stolen.

Host header attacks are traditionally used for password reset or cache poisoning because they require an out of band attack channel. Chan discovered that he could use Periscope’s OAuth system as such a channel, provided his victim has accounts, such as Periscope and Twitter, linked.

“When you login to periscope.tv using Twitter, and change the host header from www.periscope.tv to attacker.com/www.periscope.tv, the OAuth redirect destination will be attacker.com/www.periscope.tv,” said Chan.

Chan added that after changing the host header, an attacker is able to send the OAuth authorization link to their victim and obtain the user’s account details via the token that is issued.

The security issue was fixed by Twitter in March, and permission for its public disclosure was granted yesterday.

Chan received $7,560 for finding the vulnerability under Twitter’s bug bounty programme.

It is likely that this exploit may affect other apps where OAuth is used.