WeChat ID
aaronpk_tv
True, but it would be tricky.
Wouldn’t the attacker have find a way to extract the
code_verifier
from local storage and pass it along with the hijacked redirect?They would have to somehow have the ability to write custom js code on the path they are redirecting to. I guess this is possible on sites that don’t sanitize user inputs.