Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
notnullorvoid 16 hours ago

In general if a script can run, users sessions and more importantly passwords are at risk.

It's true that an HTTP-only session cookie couldn't be directly taken, but it's trivial to present the user with a login screen and collect their password (and OTP), at which point you can easily get a session remotely. It can look entirely like the regular login page right down to the url path (because the script can modify that without causing a page load).

socketcluster 7 hours ago | parent | next [-]

Yep, httpOnly cookies just give the hacker a bit of extra work in some situations. TBH I don't even think httpOnly is worth the hassle it creates for platform developers given how little security it adds.

drewvlaz 16 hours ago | parent | prev | next [-]

Wow did not realize a url could be set like that without promoting a page reload...

notnullorvoid 13 hours ago | parent | next [-]

To be clear only the path and query parameters part of the url can change, the domain (or sub domain) stays intact.

sdf456 4 hours ago | parent [-]

Even scarier to me than the vulnerability is that Fidelity (whom I personally think is a good bank and investment company) was using a third party that allowed injection that could potentially steal a whole lot of money, affect markets, ruin or terminate billions of lives, and affect the course of humanity. What the fuck.

DANmode 2 hours ago | parent [-]

Their knowledge of finance is certainly better than their knowledge of web tech.

Historically and today.

psnehanshu 12 hours ago | parent | prev [-]

Well that's how SPAs work (single page applications)

jonfw 14 hours ago | parent | prev [-]

How do you modify the url exactly?

eloisius 14 hours ago | parent | next [-]

https://developer.mozilla.org/en-US/docs/Web/API/History/pus...

notnullorvoid 14 hours ago | parent | prev [-]

`history.replaceState(null, "", "/login")`

rvnx 14 hours ago | parent [-]

For Coinbase docs, this is a disaster particularly

notnullorvoid 13 hours ago | parent [-]

By they looks of it their docs are under a subdomain, and no part of the domain can be changed when setting the url this way. So it would still look a little out of place at least.

brianxq3 12 hours ago | parent [-]

I mean, you're not wrong, but this is going to trick a non-zero number of people and that's not okay. We should expect more out of companies like Coinbase and hold them to a high standard.

This is unacceptable and the amount offered in general is low. It feels like we can agree on this.

Maxion 8 hours ago | parent [-]

auth URLs are almost always a shitshow in every larger corp. Having the url be https://docs.bigcorp.com/sso/authlayerv1/us-east-24/aws/secu... would not stand out at all to anyone.