omniauth is susceptible to cross-site request forgery attacks. The attacks are possible because it stores POST parameters in addition to GET parameters in callback phase, thereby exposing authenticity_tokens from the POST parameters and leading to bypass of cross-site request forgery protection.