Basecamp: Attachments may be hijacked via AppCache+CookieBombing trick (bc3_production_blobs bucket)

Basecamp attachments are stored in the bc3productionblobs bucket in the root directory and can be served with text/html content-type...