On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise <tas...@openmailbox.org> wrote: > xdotool also lets you inject keystrokes into windows. > > With a shortcut-key assignment this can be easily scripted by the user (you > said this was for power users).
Automatically injecting the keystrokes removes the "just watch the window title and don't paste if it changed" mitigation which Shane claimed as sufficient to make this attack preventable rather than just detectable. Overall I think this concept is simply too dangerous because you are ignoring the actual origin of the browser and authenticating based entirely on fully attacker-controlled information. Sure, you could be super careful, but you're still pointing the gun at your foot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_DTC24h6XfbjW0xw%2B4q7MfpnKN8CmLRE660ahemBMOQBw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.