The mobile applications that uses Login with Facebook or Login with Google, I’ve found more than 70% of them suffers a misconfiguration in validating the tokens at their backend which leads to account takeover.
This was an issue, I reported to Zomato a few months back where an attacker could have compromised any user’s account who had linked their Facebook with Zomato. And since most of the people use Login with Facebook nowadays, I was actually able to gain access to over 1000s of user accounts.
While checking out Grab Parcel website, I found a link that looked a bit suspicious to me as it was from a different domain.
subscribe via RSS