bug-bounty449
google354
xss340
microsoft283
facebook246
apple171
exploit163
rce160
malware102
account-takeover95
cve91
bragging-post84
csrf83
browser77
writeup76
privilege-escalation68
react60
authentication-bypass57
cloudflare54
dos53
node52
ssrf51
docker51
phishing50
aws48
access-control47
oauth45
smart-contract45
supply-chain44
ethereum43
web342
defi42
sql-injection41
lfi37
idor35
vulnerability-disclosure32
smart-contract-vulnerability32
info-disclosure31
race-condition31
burp-suite31
web-application31
reverse-engineering31
clickjacking31
wordpress30
information-disclosure29
cloud29
input-validation29
web-security28
reflected-xss27
solidity27
0
8/10
vulnerability
A combination of login CSRF and HTTP Referer header-based open redirect in Airbnb's OAuth flow allowed attackers to steal OAuth access tokens from identity providers (Facebook/Google) and achieve authentication bypass on both web and mobile applications. The attack exploited the fact that Airbnb's /oauth_callback endpoint used the unvalidated HTTP Referer header for post-login redirection, combined with the ability to request access tokens via URL fragments instead of parameters.
oauth-bypass
token-theft
csrf
open-redirect
http-referer
authentication-bypass
login-csrf
oauth-flow
mobile-app-security
facebook
google
Airbnb
Arne Swinnen
Facebook
Google
Slack
Frans Rosén