[$13337] Confused Deputy: Google IdP Universal Account Takeover via Device Code Flow Hijacking
RFC 8628’s device authorization grant lets a TV or CLI “poll” for login on a second screen. On Google’s implementation, the entire session was transferable across browsers, the authorization server never checked that the client_id and scope in the consent URL matched the ones the device_code was issued for, and prompt=none turned the whole thing into a one-click, invisible account takeover. submitted by /u/swinglr [link] [comments]Technical Information Security Content & DiscussionRead More