Comprehensive technical writeup documenting multiple race condition vulnerabilities discovered across major platforms (Facebook, Cobalt, Keybase, Mega, DigitalOcean) with detailed exploitation steps showing how concurrent requests can bypass security controls like email confirmation, coupon redemption limits, and invitation systems. Author provides methodology for identifying and exploiting race conditions in web applications with real-world examples and tool references.
A researcher discovered a chain of vulnerabilities in OneDrive OAuth integration: loose redirect_uri validation accepting partial path matches combined with a CSRF-vulnerable API callback endpoint (/api/testCallback?callback_url=) allowed stealing OAuth authorization codes and access tokens from authenticated users.
A CSRF vulnerability in Facebook's OAuth Device Login flow allowed attackers to steal user access tokens by exploiting the lack of state parameter protection during the device code verification step. The attack required the victim to have approved an application with device login enabled, making it a conditional but potentially high-impact vulnerability.