Insane and irresponsible. The demo pages even meant that attackers were one XSS or CSRF from your home address.https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024 …
-
-
Replying to @FiloSottile
aren't quite a few sites one XSS from revealing your home address?
1 reply 0 retweets 1 like -
Replying to @tehjh @FiloSottile
IMO biggest dif is consent confirmation step so easily guessed or derived. Other CSRF or embedded browser attacks would be more complicated
1 reply 0 retweets 0 likes -
Eg http://payfone.com demo doesn't require info. Attacker could embed in mobile app & collect everyone's cell #, at least for that demo
2 replies 0 retweets 0 likes
Replying to @philipn @FiloSottile
sure, but that's not XSS/CSRF
8:26 PM - 15 Oct 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.