Access token creation should never happen anywhere except at login. Server components outside login system should lack server-side privilege to create tokens even if they tried.
-
-
Show this thread
-
What we know from this is that every shitty piece of code in FB has privileges sufficient to create auth tokens for arbitrary users. This suggests there are countlessly many more vulns.
Show this thread
End of conversation
New conversation -
-
-
Architecture by accretion sure is popular, isn't it?
-
Their APIs are a mess sometimes
End of conversation
New conversation -
-
-
Shocked, shocked I say!
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.