Comment on Dell warns of data breach, 49 million customers allegedly affected
DriftinGrifter@lemmy.blahaj.zone 5 months agodoesent literraly every website with autocomplete search queries do this?
Comment on Dell warns of data breach, 49 million customers allegedly affected
DriftinGrifter@lemmy.blahaj.zone 5 months agodoesent literraly every website with autocomplete search queries do this?
kibiz0r@midwest.social 5 months ago
No. This is analogous to cross-frame scripting.
So imagine you go to
tiktok.comand you click on a link tobestbuy.com/cool-product-i-want-to-buy. But instead of taking you directly tobestbuy.com/cool-product-i-want-to-buy, it keeps you ontiktok.comand just opens an iframe with a keylogger injected into it.So then when you enter credit card info into the
bestbuy.comUI, thetiktok.comJS can see what you typed.(This scenario is largely impossible these days, due to modern browser security.)
The difference is that if you witnessed this kind of XFS in your desktop browser, you might notice it because the location bar still says
tiktok.com, because you never actually left the site. But in a mobile in-app browser, you don’t need an iframe. You can inject JS directly into the browser itself, making it invisible to the user. As far as you can tell, you’re on regular ol’bestbuy.com, not a modified version of it.DriftinGrifter@lemmy.blahaj.zone 5 months ago
bruh
kibiz0r@midwest.social 5 months ago
lmao, you asked.
I’m not a security expert, but my tech career has involved a lot of automated testing in weird scenarios, including iframe-based Facebook games and browser-based mobile apps. Automated tests face a lot of the same challenges that a malicious third-party would, so I know a little bit about how to get past them – or rather, how to deliberately create vulnerabilities (in the dev build of your system) so that your tests can get past them.