Http Response Splitting - Validate link

So i found a http response splitting issue in your website. If we visit the following url: https://www.binary.com/user/validate_link?step=account&verify_token=sometoken We will get a response header that says: Set-Cookie: verify_token=sometoken; expires=Wed, 28 Oct 2015 23:31:35 GMT; domain=.binary.com; path=/; secure However this value doesnt seem to be urlencoded which gives the attacker the option to create his own response header. For example if you were to visit: https://www.binary.com/user/validate_link?step=account&verify_token=%0aSet-Cookie:%20GerbenJavado=Awesome;%0a The following response header will be included in the response: (shameless plug) Set-Cookie: GerbenJavado=Awesome; #Attacker Scenario Since this attack doesnt require any user interaction to be exploited, a attacker could do lots of fun stuff using this vulnerability by including a malicious url in a Iframe or even in a IMG tag. - As the example shows the attacker can set cookies for the user on binary.com - The attacker can disable or bypass security headers placed by the server One restricition the attacker has is that the request is a redirect. This made it for me impossible to XSS attacks or Cache Poisining. Maybe you guys could look a bit into this further. However i would argue that because of the fact user interaction is not needed and the fact that the attacker can set his own headers (including cookies) the attack is fairly scary.