| ▲ | jdsleppy 17 hours ago |
| Doesn't stealing the cookies/token require a non-HTTP-only session cookie or a token in localstorage? Do you know that Discord puts their secrets in one of those insecure places, or was it just a guess? I believe if you always keep session cookies in secure, HTTP-only cookies, then you are more resilient to this attack. I interviewed frontend devs last year and was shocked how few knew about this stuff. |
|
| ▲ | notnullorvoid 16 hours ago | parent | next [-] |
| In general if a script can run, users sessions and more importantly passwords are at risk. It's true that an HTTP-only session cookie couldn't be directly taken, but it's trivial to present the user with a login screen and collect their password (and OTP), at which point you can easily get a session remotely. It can look entirely like the regular login page right down to the url path (because the script can modify that without causing a page load). |
| |
| ▲ | socketcluster 7 hours ago | parent | next [-] | | Yep, httpOnly cookies just give the hacker a bit of extra work in some situations. TBH I don't even think httpOnly is worth the hassle it creates for platform developers given how little security it adds. | |
| ▲ | drewvlaz 16 hours ago | parent | prev | next [-] | | Wow did not realize a url could be set like that without promoting a page reload... | | |
| ▲ | notnullorvoid 14 hours ago | parent | next [-] | | To be clear only the path and query parameters part of the url can change, the domain (or sub domain) stays intact. | | |
| ▲ | sdf456 4 hours ago | parent [-] | | Even scarier to me than the vulnerability is that Fidelity (whom I personally think is a good bank and investment company) was using a third party that allowed injection that could potentially steal a whole lot of money, affect markets, ruin or terminate billions of lives, and affect the course of humanity. What the fuck. | | |
| ▲ | DANmode 2 hours ago | parent [-] | | Their knowledge of finance is certainly better than their knowledge of web tech. Historically and today. |
|
| |
| ▲ | psnehanshu 12 hours ago | parent | prev [-] | | Well that's how SPAs work (single page applications) |
| |
| ▲ | jonfw 15 hours ago | parent | prev [-] | | How do you modify the url exactly? | | |
|
|
| ▲ | giancarlostoro 2 hours ago | parent | prev | next [-] |
| No because Discord auth tokens dont expire soon enough. The only thing that kills them is changing your password. Idk why Discord doesnt invalidate them after some time, it is seriously amateur hour over there and has been for a while. |
|
| ▲ | ddlsmurf 16 hours ago | parent | prev | next [-] |
| if you set the cookier header right (definitely not always the case), this is true, but the javascript can still send requests that will have that cookie included, effectively still letting the hacker use the session as the logged in user |
| |
| ▲ | collinmanderson an hour ago | parent [-] | | with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it. |
|
|
| ▲ | hackermondev 16 hours ago | parent | prev | next [-] |
| Discord puts the authentication token in local storage |
| |
| ▲ | edoceo 11 hours ago | parent [-] | | Is that a problem on its own? It's like, encrypted right? Maybe a time sensitive token? | | |
| ▲ | socketcluster 8 hours ago | parent | next [-] | | Not a problem in itself. Also, there's not much point of encrypting tokens. The attacker could use the encrypted token to authenticate themselves without having to decrypt. They could just make a request from the victim's own browser. They could do this with cookies too even with httpOnly cookies. XSS is a big problem. If a hacker can inject a script into your front end and make it execute, it's game over. Once they get to that point, there's an infinite number of things they can do. They basically own the user's account. | | |
| ▲ | arethuza 5 hours ago | parent [-] | | Does anyone actually encrypt the contents of JWTs? I'd have thought that anyone who has concerns about the contents of the token being easily visible would be likely to avoid JWTs anyway and just use completely opaque tokens? |
| |
| ▲ | seangrogg 10 hours ago | parent | prev [-] | | Depends on the token; JWTs usually have payloads that are only base64 encoded. As well, if there's a refresh token in there it can be used to generate more tokens until invalidated (assuming invalidation is built in). |
|
|
|
| ▲ | z3t4 3 hours ago | parent | prev | next [-] |
| https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/... |
|
| ▲ | s_ting765 17 hours ago | parent | prev | next [-] |
| You may be thinking of CSRF mitigations. XSS exploits are more dangerous and can do more than steal sessions. |
|
| ▲ | j-krieger 7 hours ago | parent | prev | next [-] |
| Token stealing hasn't been a real danger for a decade now. If you don't mark your token's as non-HTTP you're doing something explicitely wrong, because 99% of backends nowadays do this for you. |
| |
| ▲ | collinmanderson an hour ago | parent [-] | | with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it. |
|
|
| ▲ | abustamam 10 hours ago | parent | prev | next [-] |
| As a FE dev, I wouldn't be able to articulate what you just did in the way you did, but it is something I know in practice, just from experience. I don't think any of the FE courses I took tackled anything like that. |
|
| ▲ | netdevphoenix 6 hours ago | parent | prev [-] |
| Surely, if a script is in a position to sniff the cookie from local storage, they can also indirectly use the http-only cookie by making a request from the browser. So really not much of a difference as they will be taking over the account |
| |
| ▲ | Aldipower 2 hours ago | parent [-] | | The cookie storage and the local storage by all means is not the same! Cookies are not stored in the local storage and could be httpOnly, so they are not directly accessible by JavaScript. Nevertheless, as described above, with this XSS attack it is easy to bypass the token and just steal the user credentials by pretending a fresh login mask keeping the origin domain intact. That's why XSS attacks are dangerous since existence. Nothing new actually. |
|
