undefined | Better HN

0 pointsjustsomeuser5y ago0 comments

I realise it’s a medium on that scale and I cannot argue otherwise.

But I think how private that data is to the end user should also be taken into account. It’s a medium for technical risk (relative to server remote exec), but it should be seen as a high priority for the company and rewarded as such.

If an end user were to ask that company “why did you leak all my private data” their response would be “your data is worth less than $250 in human labour and is seen as a medium security risk”?

0 comments

jsploit5y ago

The authenticated one-click social engineering aspect of this significantly lowers exploit probability and overall risk.

justsomeuserOP5y ago

This is true, but this attack could work in an Iframe in the background without that click. An attacker could buy a popular blog on the note taking app, and run the Iframe in the background collecting data for years. The bug was at least 5 years old.

j / k navigate · click thread line to collapse

0 comments

jsploit5y ago

The authenticated one-click social engineering aspect of this significantly lowers exploit probability and overall risk.

justsomeuserOP5y ago

j / k navigate · click thread line to collapse