27. MyFaceNovel.com Attacker quietly posts signed payloads Victim creates token www.evil.com Google (JSON) www.geocities.com/evil1 www.myspace.com/evil2 www.sharedhost.net/evil3 www.goodguys.com/poison remote scripting Victim queries Google for token using JSON Victim finds a signed result Executes the signed payload