<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"><channel>
<title>weirdmachine64 // security research</title><link>https://weirdmachine64.github.io</link>
<description>Security research, vulnerability writeups, and responsible disclosure by Mohamed Benchikh.</description><lastBuildDate>Thu, 16 Jul 2026 14:48:38 GMT</lastBuildDate>
<item><title>Confused Deputy: Google IdP Universal Account Takeover via Device Code Flow Hijacking</title><link>https://weirdmachine64.github.io/research/google-oauth-device-code-hijacking.html</link>
<guid>https://weirdmachine64.github.io/research/google-oauth-device-code-hijacking.html</guid><description>RFC 8628's device authorization grant lets a TV or CLI "poll" for login on a second screen. On Google's implementation, the entire session was transferable across browsers, the authorization server never checked that the client_id and scope in the consent URL matched the ones the device_code was issued for, and prompt=none turned the whole thing into a one-click, invisible account takeover.</description></item><item><title>Google Cloud Account Takeover via URL Parsing Confusion</title><link>https://weirdmachine64.github.io/research/google-cloud-ato-url-parsing.html</link>
<guid>https://weirdmachine64.github.io/research/google-cloud-ato-url-parsing.html</guid><description>A unique OAuth account takeover affecting several Google services. URL parsing confusion in the redirect_uri parameter meant the payload http://[::1]@[::1]@attacker.com let me impersonate first-party clients like the gcloud CLI and leak the victim's access token to my server, with almost zero visibility to the victim.</description></item>
</channel></rss>