The spec itself made mistakes:
• Silent account hijack via “Connect this provider.”
• Redirect leaks of code (via Referrer) or access_token (via #hash).
• CSRF because state was optional and often ignored.
The point is: these aren’t obscure edge cases, they’re structural issues baked into the protocol.
The spec itself made mistakes:
• Silent account hijack via “Connect this provider.”
• Redirect leaks of code (via Referrer) or access_token (via #hash).
• CSRF because state was optional and often ignored.
The point is: these aren’t obscure edge cases, they’re structural issues baked into the protocol.