Critbook's OAuth flow doesn't validate the state parameter. Hijack the authorisation code and log in as another user.
