1. 11

  2. 4

    Login forms should definitely not allow access_tokens as passwords, and Heroku should be managing a state header to ensure CSRFs like this don’t occur.

    Very nice and clean finding! This sounds like it could have done a lot of damage.

    OAuth implementation vulnerabilities have already attracted some attention, but I fear they aren’t as well known to devs as they need to be. More posts like this will do the community good in raising awareness.