A method to recover an auto locked account by a pool. (you had supposed to receive an unlock email)
But if you didn't receive this email then request a password reset and Don't click the link! then take the token form link and the domain. And put them in an unlock link.
This works because the token is like a cookie. a cookie in user's account database record. the record is updated each time to a different random value, and deleted after use. The reason it fails because there is only one column for token for all the commands. This is kind of an insignificant security weakness witch can be exploited to your advantage to recover your account.
Example unlock address I got once from a MPOS pool:
http://domain.com/index.php?page=account&action=unlock&token=2c24abed528203fbc56f58bae761c2c4cb171eeb31f62e6963c458d3747bba00Shimon Doodkin
Send to me some of the recovered money:
bitcoin: 1Gc1wwgSg3sSEKrEwhmvbsgRWcKRJHrv5d
auroracoin: Af5RYDkFjG4DDjLkjEZ24gpmbxyEw2b7zQ
