This should serve as a reminder to developers, GET requests should only be returning information, not writing information.<p>With an IMG tag it's trivial to get any user to execute any GET request the attacker wants, and that was critical in this exploit for binding a specified token to a users account.
What a great writeup! I'm always uneasy about web and rest security, because of the number of serious issues found in production apps that have huge engineering resources behind them. It's nice to see examples like this that show that the good old enemies of security are still a large factor: complexity, convenience and features/feature creep (often driven by convience leading to complexity).<p>Nice, because the article clearly shows how a more conservative approach would have avoided these issues. So with a more limited scope it should be possible to avoid these issues, even with limited resources :)