Closed lordi closed 8 years ago
Locally bound HTTP RPC services can be called from the browser if no measure are taken against it.
Here is an example of Monero:
https://labs.mwrinfosecurity.com/advisories/csrf-vulnerability-allows-for-remote-compromise-of-monero-wallets/
The temporary solution of Monero is to set a pre-defined user agent, but that does not seem secure enough. We probably need some simple authentication token for API calls.
Locally bound HTTP RPC services can be called from the browser if no measure are taken against it.
Here is an example of Monero:
https://labs.mwrinfosecurity.com/advisories/csrf-vulnerability-allows-for-remote-compromise-of-monero-wallets/
The temporary solution of Monero is to set a pre-defined user agent, but that does not seem secure enough. We probably need some simple authentication token for API calls.