Login forms should definitely not allow access_tokens as passwords, and Heroku should be managing a state header to ensure CSRFs like this don’t occur.
Very nice and clean finding! This sounds like it could have done a lot of damage.
OAuth implementation vulnerabilities have already attracted some attention, but I fear they aren’t as well known to devs as they need to be. More posts like this will do the community good in raising awareness.
Login forms should definitely not allow
access_tokens as passwords, and Heroku should be managing astateheader to ensure CSRFs like this don’t occur.Very nice and clean finding! This sounds like it could have done a lot of damage.
OAuth implementation vulnerabilities have already attracted some attention, but I fear they aren’t as well known to devs as they need to be. More posts like this will do the community good in raising awareness.