@filedescriptor discovered that by triple URL encoding the hostname portion of the redirect_uri parameter during the OAuth authorization flow, GitHub would see the hostname as matching the configured callback URL, but would single-encode the hostname in the Location header in the actual browser redirect. There is a bug in Internet Explorer, causing it to improperly follow redirects where the hostname is URL encoded. This resulted in the OAuth code parameter being sent to the incorrect domain, which could be registered by an attacker. This code could be used by the attacker to authenticate to the OAuth application as the victim.

The GitHub behavior was the result of our URL parsing/normalizing library not fully normalizing the hostname. Parsing and normalizing the hostname multiple times would yield different results. We addressed the vulnerability by updating our URL parsing library, as newer releases properly normalize URLs.