Security flaw in OAuth and OpenID