|
|
|
|
|
|
by colinclerk
679 days ago
|
|
|
Hey - cofounder of Clerk here Glad we were able to mitigate this one for our customers, but have also been a bit surprised this vulnerability hasn't been generating more chatter. tl;dr: if you use Google OAuth, any XSS on your site can likely be chained into a long-lived account takeover. In a roundabout way, it works around the protections afforded by HttpOnly cookies. You can mitigate by always redirecting to a URL with an empty fragment (#) if your oauth callback URL experiences any failure. |
|
|