I’m harvesting credit card numbers and passwords from your site (2018) (opens in new tab)

(medium.com)

31 pointselsombrero4y ago4 comments

4 comments

For those interested, the original discussion from 2018: https://news.ycombinator.com/item?id=16084575

It's worth noting that a takeaway message from this is "A strict CSP policy would completely prevent this attack, as long as Chrome supports the `prefetch-src` directive."

Unfortunately the ticket for implementing that (or taking the implementation out from behind its flag) is still open and has just had its 4th birthday.

https://bugs.chromium.org/p/chromium/issues/detail?id=801561

tn14y ago

This is a hard problem to solve. It seems to me the best way to mitigate most of the issues is to disallow developers to upload the built artifacts and instead have the repositories build them. That way, at least you can guarantee the source corresponds to the hosted artifacts. On the other hand, this now puts a huge burden on the package hosters to provide the infrastructure to compile everything. And forget about any oddball packages that require esoteric or picky tools

democracy4y ago

Yeah that makes me wonder how many of such real bombs are quietly deployed in npm/maven setups all over the world...

j / k navigate · click thread line to collapse