Authentication bypass on Airbnb via chained OAuth vulnerabilities: an HTTP Referer-based open redirect in the OAuth callback endpoint combined with login CSRF allowed attackers to steal OAuth access tokens from identity providers (Facebook/Google) and authenticate as victims on both web and mobile applications. The attack exploited Airbnb's use of long-term identity provider access tokens for mobile app authentication combined with weak referer-based redirect logic.
Uber's SSO system based on shared session cookies across *.uber.com subdomains was vulnerable to authentication bypass via a combination of subdomain takeover on saostatic.uber.com (dangling CloudFront CNAME) and session cookie theft through CSRF token relay attacks. An attacker could compromise any *.uber.com subdomain to steal the '_csid' shared session cookie and relay CSRF tokens to impersonate authenticated users across all Uber subdomains.
A technical guide to setting up Pocket ID, a lightweight OIDC identity provider focused on passkey-based authentication, as a simpler alternative to Keycloak for self-hosted services. The author covers installation, client configuration patterns, and integration with multiple self-hosted applications including Gitea, Argo CD, Grist, Sentry, n8n, and WordPress.