ssakharova
commented
3 months ago Hello @mathiasbosman,
The issue described is no longer relevant, as it has already been fixed. Thank you for highlighting the problem.
Closed mathiasbosman closed 3 months ago
ssakharova
commented
3 months ago Hello @mathiasbosman,
The issue described is no longer relevant, as it has already been fixed. Thank you for highlighting the problem.
Describe the bug
they have found that you are able to load your own content from example https://gist.githubusercontent.com/0xdln1/T his prompt is being served from an arbitrary location (authorization.site), which can be modified as needed to be as convincing as possible to any possible victim. Imagine yourdomain.authorization.site, for example. Depending on the browser being used, a message can be included along with the prompt to make it seem more trustworthy. When a victim enters their information into the prompt, it is sent to the arbitrary location being used by the attacker (authorization.site) along with their IP address, and stored in plain text for the attacker to use when desired?
Your Server Environment
Your Client Environment Desktop (please complete the following information):
To Reproduce Steps to reproduce the behavior:
Additional context This vulnerability was reported to us via a BugBounty program.