12 thoughts on “Turning Simple Login CSRF to Account Takeover

  1. xxxxxx says:

    Nice Write-up,

    Since They were not using “State Parameter” .

    Attacker can also send his Facebook Access Token to Authenticated Victim to link attacker Facebook Account .

  2. dontmentionit says:

    Did not understand how it will work .
    I did not get how if the state parameter was not checked properly how can it lead to a CSRF.
    Plz add requests and responses for the same!
    Thanx in advance ,Luv ur Writeups !

Leave a Reply

Your email address will not be published. Required fields are marked *