Fun Apps forwarding Derpina’s access token to BMS and logs into Derpina’s BMS account
Visual representation of assumption how victim’s access token is used to log into BMS

Disclaimer: This story is just to give you an idea how misconfigured social login can be exploited.

Hello cruel world,

This is a story of an innocent girl Derpina Victims, whose account got hacked because she just wanted to know “when will she die” from a viral stupid Facebook app.

Derpina got to know about this “cool” Facebook app that tells when will she die. All her friends were posting their results so she tried it as well. …

In Sept. 2013 I found Reflected XSS in Why writing it up now? Because I didn’t want to “showoff” for reasons. Enough with the drama :D. Let’s get to the point.

So I was looking at all the names in Hall of fame of different sites. On page, I thought the list is long but I want my name in the list.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store