undefined | Better HN

0 pointsjkrejcha2d ago0 comments

> True. However it's not impossible to mitigate that: https://news.ycombinator.com/item?id=48563286

It's not a perfect mitigation for session stealing, isn't available in all cases, requires custom code to implement, and also can in some cases completely break sessions (unless they have another place where it's stored)

> It's a separate attack vector. It's easily mitigated by having a one week back-off before upgrading. (and as I have said already, also affects binary executables)

A separate attack vector for the same problem. Which is also not mitigated by dependency back-off. If you load a 3rd party script into your site, you're relying on that 3rd party not getting compromised.

For example, if I have a page

and if "accel.js" gets maliciously replaced, it can read all of the data out of local storage. No updates on your end required.

0 comments

1 comments · 1 top-level

szmarczak2d ago

> isn't available in all cases

Which ones? Websites that ship no JavaScript? All browsers support this.

> can in some cases completely break sessions

Or you can just remove local storage from window and have it just for yourself, which seems what Discord is doing as well.

Attackers cannot use local storage because there is no local storage on the window object.

> A separate attack vector for the same problem

It's not exactly the same problem. The example you mentioned is a footgun because you don't vendor your dependencies. Deliberately giving someone else access to your website is an issue in itself.

j / k navigate · click thread line to collapse