Maged



Offline



Activity: 1204

Merit: 1006







LegendaryActivity: 1204Merit: 1006 Re: Full Disclosure: Blockchain.info My Wallet Stored XSS. December 28, 2014, 04:05:35 AM #2 Quote from: nogf on December 28, 2014, 12:48:45 AM ... can inject JavaScript into the wallet



...



This "resolution" ignores that the bug can be used to cause a persistent compromise.

On the contrary, because of the Content Security Policy, you cannot inject JavaScript on most browsers, greatly reducing the attack surface. Unfortunately, you can inject styling and html, which if you've ever seen Reddit or one of those CSS demonstration sites you would know that it can still change enough of the page to convince the user to do something bad. But again, that wouldn't be automatic. Still an issue, but not as bad as you make it out to be. They should really disable inline styling after they fix this. On the contrary, because of the Content Security Policy, you cannot inject JavaScript on most browsers, greatly reducing the attack surface. Unfortunately, youinject styling and html, which if you've ever seen Reddit or one of those CSS demonstration sites you would know that it can still change enough of the page to convince the user to do something bad. But again, that wouldn't be automatic. Still an issue, but not as bad as you make it out to be. They should really disable inline styling after they fix this.

1MagedVeZqDtU4Jh5BdgvHpcWk9dXFzZY8 Like my posts? Donate!