Handful of OAuth bugs combine for GitHub session theft
Chaining together five low security bugs has allowed Russian security researcher Egor Homakov to steal user sessions and increase the scope of OAuth tokens from GitHub, giving Homakov the ability to access and delete private GitHub repositories and Gists.
Detailing the process of linking the five bugs together in a blog post, Homakov called his exploit the "perfect crime".
The pairs of bugs dealt with the permitting of directory traversal used in the redirect_uri parameter sent to GitHub, and the lack of validation of the redirect_uri parameter conducted by the repository hosting service. "It was flawed: no matter what redirect_uri the Client sent to get a token, the Provider responded with valid access_token," Homakov said.