Closed deckar01 closed 9 years ago
I guess since we have a console warning in place we're probably okay though this feels like there could be some sort of vector for abuse/attack here.
@matschaffer Since this function can only set the address, there is no potential to perform any actions. I can't think of an attack that can be performed by making a victim think they are logged into someone else's account. Besides that they would have to have at some point entered the command debugAs('username')
, which print a message stating that you are debugging the client.
Thanks for the confirmation. Sounds reasonable in that case.
On Wednesday, January 21, 2015, Jared Deckard notifications@github.com wrote:
@matschaffer https://github.com/matschaffer Since this function can only set the address, there is no potential to perform any actions. I can't think of an attack that can be performed by making a victim think they are logged into someone else's account. Besides that they would have to have at some point entered the command debugAs('username'), which print a message stating that you are debugging the client.
— Reply to this email directly or view it on GitHub https://github.com/stellar/stellar-client/pull/1138#issuecomment-70904565 .
:+1:
Adds a global javascript function for logging in and debugging the client with only a username or address.
debugAs('jared')
debugAs('gEbULLfbgv1XHUgxq2C1FWLfKzDie2KWDG')