SolidOS / solidos

The operating system for Solid
https://solidos.solidcommunity.net/
MIT License
124 stars 19 forks source link

Physhing risk when hosting HTML files #137

Open joeitu opened 2 years ago

joeitu commented 2 years ago

Hello,

Not sure if this is the correct place to create the issue, but today on https://solidcommunity.net I created an account called "password-recovery" and was able to create this: https://password-recovery.solidcommunity.net/

I can imagine a scenario where an attacker would grab email addresses from solidcommunity.net users ( by scraping their WebID document for e.g. ) and then send them a phishing email " All solid community accounts have been compromised, please reset your password on https://password-recovery.solidcommunity.net/"

Of course, solidcommunity.net offers no warranty on security, as it is principal place of experimentation. But I wonder in the future if it would be possible to have at the same time the possibility to host webpage and prevent phishing attacks. Maybe a stronger blacklist? A moderation system, where permission needs to be requested to host a webpage?

Otto-AA commented 1 year ago

Related issue for NSS: https://github.com/nodeSolidServer/node-solid-server/issues/1356