1 comment

[ 3.3 ms ] story [ 12.3 ms ] thread
Hey - cofounder of Clerk here

Glad we were able to mitigate this one for our customers, but have also been a bit surprised this vulnerability hasn't been generating more chatter.

tl;dr: if you use Google OAuth, any XSS on your site can likely be chained into a long-lived account takeover. In a roundabout way, it works around the protections afforded by HttpOnly cookies.

You can mitigate by always redirecting to a URL with an empty fragment (#) if your oauth callback URL experiences any failure.