7 thoughts on “Turning Simple Login CSRF to Account Takeover

  1. xxxxxx says:

    Nice Write-up,

    Since They were not using “State Parameter” .

    Attacker can also send his Facebook Access Token to Authenticated Victim to link attacker Facebook Account .
    ?

Leave a Reply

Your email address will not be published. Required fields are marked *