Bugzilla

I don't think there is a problem with the staging server, this is how the application is supposed to work. I am still not able to access the production instance, I will check with the team if there is a problem there. I will test on production when I get the chance.

If you were able to generate the token for the victim, then you can login, we confirmed that. However, for the attack to be successful, you need to trick the users into authenticating so that you can their authentication token, and this part is not possible because of the state parameter.

I don't think there is a problem with the staging server, this is how the application is supposed to work. I am still not able to access the production instance, I will check with the team if there is a problem there. I will test on production when I get the chance.

If you were able to generate the token for the victim, then you can login, we confirmed that. However, for the attack to be successful, you need to trick the users into authenticating so that you can get their authentication token, and this part is not possible because of the state parameter.