Nathan of Guardian wrote: > > > On Fri, Sep 19, 2014, at 08:55 AM, Tom Ritter wrote: >> The way I'd exploit it is by sending you a link via >> email/txt/chatsecure when I think/hope you're on your phone with some >> enticing subject like "Someone just dropped a ChatSecure 0day on >> ExploitDB. That link would send you to a page with some nonsense text >> that's really long for you to read through. Meanwhile I stuck a >> couple of iframes hidden on the page that frame gmail, facebook, >> whatever else is interesting. Anything you're logged in to would >> allow full page extraction - all your emails, facebook info, etc etc. >> Add with some crawling through the html and you could extract >> near-limitless information so long as the victim kept the page open. > > Ah, right, thanks. Glad to have devious, criminal minded friends like > you around, Tom!
Yet another stark reminder that the web only really works with public information. Running applications on the web is really just a terrible idea from a security and privacy point of view. .hc -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
