Interesting exploit http://joevennix.com/2015/06/24/Adventures-in-Browser-Exploitation-Part-II--Safari-8-UXSS.html … How much more powerful do web/browser APIs need to get until all agree UXSS == arbit code exec?
@frgx I think we already have to consider UXSS like arbit code exec. But, arbit code exec is more powerful because it is a superset of UXSS.
-
-
@BRIAN_____ yeah; anecdotally though, response times to fixing UXSS seem to be much worse than arbitrary code exec -
@BRIAN_____ also, as a though experiment: what about arbitrary code exec limited to one platform while UXSS on all? -
@frgx@BRIAN_____ powerful APIs require user interaction, and user interaction always downgrades severity -
@__apf__ UXSS will use the permissions granted to trusted websites. No User interaction needed.@BRIAN_____ -
@frgx@BRIAN_____ assuming you visit one; still a higher bar -
@frgx@BRIAN_____ and we're moving to reprompt for iframes so that doesn't work either
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.