|
Title: Lax Security on a lot of Crypto Sites- be careful everyone- a nice simple check. Post by: logosobscura on January 04, 2018, 11:49:41 AM Posting this here because it's really starting to bug me.
I got asked by a friend why he keeps seeing Google Ads that are clones of known exchanges- sent me a few URLs, and each and every single one was operating not as a clone, but as a XSS attack because the exchanges didn't have the basic security headers set. Some examples of bad offenders: Binance Header Report (https://securityheaders.io/?q=binance.com&followRedirects=on) - No CSP policy, no XSS blocks, no referrer policy MyEtherWallet Header Report (https://securityheaders.io/?q=myetherwallet.com&followRedirects=on) - Literally embarrassing, doesn't have anything set at all. Despite being told in their GitHub repo how to fix it and being given a pull request. Everyone- be careful, and scan the sites you use before you get ripped off by someone doing a drive by. |