How we hacked Facebook with OAuth2 and Chrome bugsTL;DR We (me and @isciurus) chained several different bugs in Facebook, OAuth2 and Google Chrome to craft an interesting exploit. MalloryPage can obtain your signed_request, code and access token for any client_id you previously authorized on Facebook. The flow is quite complicated so let me explain the bugs we used. 1. in Google Chrome XSS Auditor, leaking document.referrer. 3 weeks ago I wrote d
