14 DAY TRIAL // In a post on HackerOne's bug tracking platform, security researcher Ron Chan submitted a report to Twitter detailing how an attacker could takeover periscope.tv accounts using a host header attack.
According to Chan, "When you login periscope.tv using twitter, and change the host header from www.periscope.tv to attacker.com/www.periscope.tv, the oauth redirect destination will be attacker.com/www.periscope.tv, thus allowing attacker to send the oauth authorize link to victim, and takeover their account after auto redirect."
Following a successful host header exchange, attackers would have been able to share the OAuth authorization link to a victim of their choice and capture the target's credentials in the form of an OAuth authentication token.
It's important to mention that the attack only worked only if the victim's Twitter and Periscope TV accounts were linked, with the target having authorized the Periscope TV account beforehand.
The XSS (Cross-site Scripting) based attack was fixed by Twitter after further explanation from Chan allowed them to reproduce the behavior described in the security researcher's bug report.
Attack used "Login with Twitter" feature on Periscope TV website
Ron Chan also received a $7,560 bounty for his findings as per Twitter's HackerOne rewards program, and the bug was fixed on February 26th following its disclosure on February 19th.
The bug report was kept under wraps until September 6th when Twitter decided to publicly disclose it after Chan's August 31st request.
Chan's bug report implies that there are still security issues with OAuth's implementation which could lead to stolen credentials after a successful host header attack.
According to a report by PortSwigger, "Host header attacks are traditionally used for password reset or cache poisoning because they require an out of band attack channel. Chan discovered that he could use Periscope’s OAuth system as such a channel, provided his victim has accounts, such as Periscope and Twitter, linked."