FireFox RCE by chaining small bugs

The Main Bug The main bug that made this possible was a strange behavior where 'javascript:' URLs coming from bookmarks were turning into chrome windows after a refresh occurs. This gave me my first chance at potentially injecting arbitrary chrome code, achieving that would mean I have an RCE!...

Uber: Chained Bugs to Leak Victim's Uber's FB Oauth Token

The Facebook OAuth application was misconfigured to allow any URL that followed the https://auth.uber.com/login? format to be provided as a redirecturi. By taking advantage of this, @ngalog was able to discover that the nexturl parameter could be added to the redirecturi allowing it to be chained...