An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites.