So i found a http response splitting issue in your website. If we visit the following url:
We will get a response header that says:
Set-Cookie: verify_token=sometoken; expires=Wed, 28 Oct 2015 23:31:35 GMT; domain=.binary.com; path=/; secure
However this value doesnt seem to be urlencoded which gives the attacker the option to create his own response header. For example if you were to visit:
The following response header will be included in the response: (shameless plug)
Since this attack doesnt require any user interaction to be exploited, a attacker could do lots of fun stuff using this vulnerability by including a malicious url in a Iframe or even in a IMG tag.
One restricition the attacker has is that the request is a redirect. This made it for me impossible to XSS attacks or Cache Poisining. Maybe you guys could look a bit into this further. However i would argue that because of the fact user interaction is not needed and the fact that the attacker can set his own headers (including cookies) the attack is fairly scary.