Hi Today we where privately informed about a miss-configured OAuth callback URL in our GitHub application. We only allow it's use for repository import, so it is not widely uses. This miss-configuration allowed a covert redirect vulnerability[1] and possible account takeover of any account using the integration. We quickly changed that setting to a better suited value. During the discussion we where informed that GitHub overall does pretty loose checking of the callback or redirect URL. They accept all sub-resources and, more problematic, all sub-domains.[2] If you configure the URL to https://example.com/users, it will happily accept: - https://example.com/users/bla - https://bla.example.com/users We host services on sub-domains of salsa.debian.org. I was not able to verify quickly that none of those services could help in this attack. So I decided to disable the integration for now. Sorry about any inconvenience. Regards, Bastian [1]: https://oauth.net/advisories/2014-1-covert-redirect/ [2]: https://hackerone.com/reports/292825
Attachment:
signature.asc
Description: PGP signature