@avlidienbrunn That doesn’t apply here as @Hacker0x01 serves HTML with the `X-Frame-Options: DENY` header (and rightly so).
-
-
Replying to @mathias
@mathias@Hacker0x01 Doesn't help on same-domain: http://jsfiddle.net/avwUm/show/1 reply 0 retweets 1 like -
Replying to @avlidienbrunn
@avlidienbrunn But it does, unless you use `X-Frame-Options: SAMEORIGIN` or `ALLOW-FROM: …` which@Hacker0x01 doesn’t.1 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@Hacker0x01 You don't have to frame it to access the content. See my second example. You can use window.open().2 replies 0 retweets 0 likes -
Replying to @avlidienbrunn
@avlidienbrunn You could abuse this if there’s XSS on the login page, but then you can log keystrokes anyway, autofill or not.@Hacker0x011 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@Hacker0x01 The XSS can be anywhere on the domain. Still one-click owned, and that's pretty shitty tbh: http://jsfiddle.net/avwUm/6/show/2 replies 0 retweets 1 like -
Replying to @avlidienbrunn
@avlidienbrunn My point is: XSS is a separate issue that is dangerous, with or without autofill. +@Hacker0x011 reply 0 retweets 0 likes -
Replying to @mathias
@mathias It's more dangerous if the attacker can get plaintext credentials. It's about mitigation, just like CSP and whatnot. +@Hacker0x011 reply 0 retweets 0 likes -
Replying to @avlidienbrunn
@avlidienbrunn I meant: you can still get plaintext credentials with autofill disabled using your trick.@Hacker0x011 reply 0 retweets 0 likes -
Mathias Bynens Retweeted Mathias Bynens
Mathias Bynens added,
-
-
Replying to @mathias
@mathias@Hacker0x01 That requires *way* more user interaction and is not the same thing. 0 or 1 click versus phishing someone...0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.