Account Takeover

**Summary:** Affected URL or select Asset from In-Scope: ████████ Affected Parameter: token Vulnerability Type: Account Takeover Browsers tested: Chrome ## Steps To Reproduce: 1. get any user access token from your facebook/google app 2. replace your token on the request shown in the video to the target token (the request can be found when you sign in with facebook on the iOS app) 3. the app will not validate the token and let you in! ## Supporting Material/References (screenshots, logs, videos): * PoC Video: █████ the app is not validating the token if it came from the same facebook app or not, so you can use any token of any user used your facebook app before to log into glassdoor which allow account takeover.