Phabricator disclosed on HackerOne: OAuth access_token stealing in...

Hi, I found that an attacker is able to steal access_tokens of facebook users via Phabricator App (184510521580034). when users login to phabricator, they can choose to login via Facebook (https://secure.phabricator.com/login/) attaching pic, In this case an attacker is able to exploit this behavior to steal facebook access_tokens via phabricator app. Full Reproduce, Exploit: 1....

11 Apr 2014 ... Hi, I found that an attacker is able to steal access_tokens of facebook users via Phabricator App (184510521580034). when users login to ...

Lee mas