The email in question belongs to the user who is logged in. Harmless I hear you say because they already know their own email address.
However, a malicious browser extension could very easily harvest email addresses and the user’s private data this way.
Say I created a handy extension called “Tracking Pixel Detector” or some such that users could install to keep an eye on tracking pixels. Every site they visit where they are logged in will reveal their email address to the extension.
Please address this potential security hole by ensuring email addresses are NEVER displayed in the source code.
This was raised in a previous topic with a lack of resolution (but closed nonetheless).
The FB pixel rendered out in source looks like this:
The email in question belongs to the user who is logged in. Harmless I hear you say because they already know their own email address.
However, a malicious browser extension could very easily harvest email addresses and the user’s private data this way.
Say I created a handy extension called “Tracking Pixel Detector” or some such that users could install to keep an eye on tracking pixels. Every site they visit where they are logged in will reveal their email address to the extension.
Please address this potential security hole by ensuring email addresses are NEVER displayed in the source code.