@mathias @Hacker0x01 Doesn't help on same-domain: http://jsfiddle.net/avwUm/show/
-
-
Replying to @avlidienbrunn
@avlidienbrunn But it does, unless you use `X-Frame-Options: SAMEORIGIN` or `ALLOW-FROM: …` which@Hacker0x01 doesn’t.1 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@Hacker0x01 You don't have to frame it to access the content. See my second example. You can use window.open().2 replies 0 retweets 0 likes -
Replying to @avlidienbrunn
@avlidienbrunn You could abuse this if there’s XSS on the login page, but then you can log keystrokes anyway, autofill or not.@Hacker0x011 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@Hacker0x01 The XSS can be anywhere on the domain. Still one-click owned, and that's pretty shitty tbh: http://jsfiddle.net/avwUm/6/show/2 replies 0 retweets 1 like -
Replying to @avlidienbrunn
@avlidienbrunn My point is: XSS is a separate issue that is dangerous, with or without autofill. +@Hacker0x011 reply 0 retweets 0 likes -
Replying to @mathias
@mathias It's more dangerous if the attacker can get plaintext credentials. It's about mitigation, just like CSP and whatnot. +@Hacker0x011 reply 0 retweets 0 likes -
Replying to @avlidienbrunn
@avlidienbrunn I meant: you can still get plaintext credentials with autofill disabled using your trick.@Hacker0x011 reply 0 retweets 0 likes -
-
Replying to @avlidienbrunn
Mathias Bynens Retweeted Mathias Bynens
Mathias Bynens added,
1 reply 0 retweets 0 likes
@mathias @Hacker0x01 That requires *way* more user interaction and is not the same thing. 0 or 1 click versus phishing someone...
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.