Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Authorization Token on PlayStation Network Leaks via postMessage function
Phuriphat BoontanonPosted 5 Years Ago- The OAuth handler for the Playstation network uses postMessage across websites to send the OAuth data.
- The chosen window to send this to has some poor logic in it though. The Window option sends the message to the
window.openerand does NOT validate the domain at all. - So, by opening up the OAuth handler on a malicious site, the OAuth code would be sent to the malicious site via postMessage!
- Although this appears to be a very weird bug, understanding how the website works and thinking of interesting attack scenarios never gets old.
