|
Title: . Post by: nogf on December 28, 2014, 12:48:45 AM .
Title: Re: Full Disclosure: Blockchain.info My Wallet Stored XSS. Post by: Maged on December 28, 2014, 04:05:35 AM ... can inject JavaScript into the wallet On the contrary, because of the Content Security Policy, you cannot inject JavaScript on most browsers, greatly reducing the attack surface. Unfortunately, you can inject styling and html, which if you've ever seen Reddit or one of those CSS demonstration sites you would know that it can still change enough of the page to convince the user to do something bad. But again, that wouldn't be automatic. Still an issue, but not as bad as you make it out to be. They should really disable inline styling after they fix this.... This "resolution" ignores that the bug can be used to cause a persistent compromise. |