The bitcoin wallet Electrum allows any website to steal your bitcoins. I was gonna report it...but there was already an open issue from last year. I pointed out this is kinda critical, and they made a new release within a few hours. Update to 3.0.4 if you use it.
-
Show this thread
-
Replying to @taviso
skimming the issues, not seeing one that matches your tweet description. link? and I assume you reported privately not via tracker?
1 reply 1 retweet 2 likes -
Replying to @attritionorg
It's this onehttps://github.com/spesmilo/electrum/issues/3374 …
7 replies 22 retweets 89 likes -
Replying to @taviso @attritionorg
Websites cannot access localhost in browsers, unless there is a bug in the browser.
3 replies 1 retweet 3 likes -
Replying to @AdamR0berts @attritionorg
You said that so authoritatively, and yet you're completely wrong
4 replies 8 retweets 364 likes -
Replying to @taviso @attritionorg
I've tested browsers and attempted to connect to a redis server running on localhost and it wouldn't connect, move the page onto localhost and it does.
3 replies 0 retweets 0 likes -
Replying to @AdamR0berts @attritionorg
Sounds like you need to read about CORS.
3 replies 0 retweets 160 likes -
Replying to @taviso @attritionorg
Anyone that doesn't set a password, on their wallet shouldn't be storing them locally.
4 replies 0 retweets 3 likes -
Replying to @AdamR0berts @taviso
while true, doesn't mean the vulnerability in the JSONRPC interface isn't there.
1 reply 0 retweets 0 likes
There are dozens of unauthenticated commands. 
-
-
Replying to @taviso @attritionorg
None of which allow sending bitcoins without unlocking the wallet, which requires the wallet password.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.