zataomm
2yr ago
Thanks for this, I hadn't heard of Exploit Kits before. That said, the vulnerability seems to come from the used-to-be-common experience where a browser would open an Adobe plugin or whatever, something which is uncommon-to-nonexistent nowadays. In the Wikipedia article the first source they site explaining what Exploit Kits are is an article from 2013!
I did ask for what's possible in the worst case scenario, so fair enough, but I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software. I guess this is another stupid question, but do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.
zataomm
2yr ago
Gotta admit I'm not about to read all that API documentation for window.showOpenFilePicker() but it looks like the user has to have a lot more specific interaction, i.e. choosing files on local disk, in order for the site to have access. So you wouldn't be able to get access just using some generic popup.
zataomm
2yr ago
I seem to recall an alert from a while back whereby if your password manager autofills login info, that could make you vulnerable, if you visit a site that embeds a bank's login page within an <iframe>, the parent site would be able to read the relevant DOM elements. Requires a specific browser setup, obviously, but would this still work? Are there exploits that cannot be circumvented by visiting unknown sites in Incognito mode, as I do from time to time when I am curious about a suspicious link?
zataomm
2yr ago
Aren't your question parameters too wide? If someone has a perfect (presumably zero day) exploit
I suppose so. If somehow Chrome granted a page access to the entire filesystem, obviously that would be very bad. But you're probably protected against such an exploit because come on, are you really going to be the first person they target with this attack? Although I retract this skepticism if you are actually a billionaire.
So okay, are they any known ways that a site could extract important private information about a user just by visiting a site (and, let's say, scrolling)?
zataomm
2yr ago
Hoping early Monday isn't too late for a small-scale question, so here goes:
In the wake of a friend falling victim to a phishing scam in which they were convinced to send a screenshot of a link to a password reset page (indeed, head-slappingly bad), I'm currently being dragged in real life for my hot take, two-part opinion that
-
This scam was facilitated by the common advice that you should NEVER follow links because they could be from a hacker and then you will get hacked! and
-
This advice isn't actually very good, in the sense that nothing bad can really happen to you just from following some random link.
As a web developer I know something about how the web works, but obviously I don't know everything, so I'm curious if someone else can come up with a really bad outcome achievable just by clicking on a link. Could you, say, send an API request to a bank from within your webpage, and then read the response and cookies from the host page? I'm thinking this would be blocked by both browser and site technology. This has to be what CORS is for, right? Not just to annoy me while I'm developing?
Anyway, like I said, suggestions welcome.
zataomm
2yr ago
I guess I want to speak up for the people who think that Fetterman really wasn’t that bad. For the most part, it was clear what he was trying to say, even though he didn’t express himself fluently and seemed like a nervous middle schooler giving a presentation, or Like he was doing a Chris Farley impression, for the old are millennials among us. He had a lot of canned talking points, of course, because that’s just how debates work nowadays, no actual debating involved.
Unfortunately, in this day and age its always necessary to declare one’s affiliations along with one’s objective judgments of situation, so I need to express my own view by saying my dream would be to vote for a Republican candidate who is actually good, not that phony Mehmet Oz. We know Federman’s excuse, what is Oz’s excuse for not saying anything interesting during the entire debate?
I guess it's kind of funny that after I have been complaining for years about Twitter's bullshit justification for banning Trump under the "incitement to violence" standard, the new management goes and suspends Kanye West because, according to Elon Musk's tweet, "he again violated our rule against incitement to violence." https://twitter.com/elonmusk/status/1598543670990495744
Maybe yishan (formerly of Reddit) was right that when you run a social media platform, there are certain bans that you just have to enact to keep your service alive, even though there are no objective rules you can apply to justify these bans.
[EDIT: Just noticed this was already discussed below. Sorry.]
[EDIT 2: I deleted in <10 minutes but there had already been some replies. No good options based on my past choices so I think least-bad is to undelete. Sorry for chaos.]
More options
Context Copy link