27. MyFaceNovel.com ď Attacker quietly posts signed payloads ď Victim creates token www.evil.com Google (JSON) www.geocities.com/evil1 www.myspace.com/evil2 www.sharedhost.net/evil3 www.goodguys.com/poison remote scripting ď Victim queries Google for token using JSON ď Victim finds a signed result ď Executes the signed payload