# research
2 writeups · vulnerability research, exploitation, and CTF.
Confused Deputy: Google IdP Universal Account Takeover via Device Code Flow Hijacking
RFC 8628's device authorization grant lets a TV or CLI "poll" for login on a second screen. On Google's implementation, the entire session was transferable across browsers, the authorization server never checked that the client_id and scope in the consent URL matched the ones the device_code was issued for, and prompt=none turned the whole thing into a one-click, invisible account takeover.
Google Cloud Account Takeover via URL Parsing Confusion
A unique OAuth account takeover affecting several Google services. URL parsing confusion in the redirect_uri parameter meant the payload http://[::1]@[::1]@attacker.com let me impersonate first-party clients like the gcloud CLI and leak the victim's access token to my server, with almost zero visibility to the victim.