Leaking the code value via a callback URL whitelist bypass.

[EdOverflow]

This is a ticket to report a security issue in gitment.

In your README.md under "Is it safe to make my client secret public?" you state the following:

Client secret is necessary for OAuth, without which users can't login or comment with their GitHub accounts. Although GitHub does't recommend to hard code client secret in the frontend, you can still do that because GitHub will verify your callback URL. In theory, no one else can use your secret except your site. If you find a way to hack it, please open an issue.

There turns out to be an issue in GitHub that allows one to bypass the callback URL whitelist and effectively leak the code values to a third-party. By specifying a sub-domain one can force a redirect to that endpoint. So if one whitelists http://example.com/auth, you can bypass it using http://SOMETHING.example.com/auth. If http://SOMETHING.example.com/auth meets any of the following conditions you have a serious security issue on your hands:

• HTML injection in a sub-domain
• XSS in a sub-domain
• Sub-domain takeover
• Sub-domain redirect to third-party

This behaviour is unfortunately unintended, because it is not documented anywhere.

In order to mitigate this issue, I suggest rethinking how to design this project altogether.

[sariabiha]

https://advance-esthetic.us/rf-facial-machines