Original disclosure for client-side attack:

Disclosure follow-up (server-side attack):