Salt Labs, the research arm of API security firm Salt Security, discovered this XSS attack, which can bypass current mitigations and potentially lead to complete account takeover. The flaw arises when OAuth is not implemented with sufficient care and rigor, which unfortunately is often the case