Glad we were able to mitigate this one for our customers, but have also been a bit surprised this vulnerability hasn't been generating more chatter.
tl;dr: if you use Google OAuth, any XSS on your site can likely be chained into a long-lived account takeover. In a roundabout way, it works around the protections afforded by HttpOnly cookies.
You can mitigate by always redirecting to a URL with an empty fragment (#) if your oauth callback URL experiences any failure.
colinclerk|1 year ago
Glad we were able to mitigate this one for our customers, but have also been a bit surprised this vulnerability hasn't been generating more chatter.
tl;dr: if you use Google OAuth, any XSS on your site can likely be chained into a long-lived account takeover. In a roundabout way, it works around the protections afforded by HttpOnly cookies.
You can mitigate by always redirecting to a URL with an empty fragment (#) if your oauth callback URL experiences any failure.