Open weizman opened 6 months ago
We saw that coming already (see "secret splitting" section).
I don't see a way around this at the moment, so either we convince browsers to ship a native and secure Snow version (which will take years) or we convince Firefox to fix the bug that's causing this (wip)
Or we come up with a clever defense. I thought about making use of selectionchange
event which captures the find
call, but since attack is sync, the secret is compromised before the event fires...
I wonder how this one will play out
When running in Firefox, Secret protected by LavaDome can easily be leaked.