From "Log in with OAuth" to "Your Account Is Mine" – Desktop App Edition

Abstract Just one click on a malicious link → account takeover. No phishing, no malware. I discovered a security flaw in a popular desktop app’s OAuth flow that let me steal any user’s account just