reply on: Cashu Browser Wallet \ stacker news ~bitcoin

0 sats \ 9 replies \ @gandlaf21 OP 11 Jan 2023 \ parent \ on: Cashu Browser Wallet bitcoin

The app has only local persistence, how can that be attacked with xss? Honest question, i might be missing something

0 sats \ 8 replies \ @nerd2ninja 11 Jan 2023

Well the wiki is trying to talk about all xss, but the particular one I was thinking of is the clever attack where you make a keylogger with JavaScript or CSS and its able to gather what you type even if the danger site is merely tabbed away.

15 sats \ 5 replies \ @gandlaf21 OP 11 Jan 2023

oh! feel free to audit ;) code is open-source.

It's good to be cautious though, so I understand if you don't wanna expose yourself. You can spin up a VM and open the site in there, then you don't have to trust me.

You should be doing that anyway, since most of the Internet runs on JS.

30 sats \ 4 replies \ @nerd2ninja 11 Jan 2023

Well I didn't mean you put a keylogger in your code, I just meant someone could visit a website that has a keylogger and then keylog a cashu token in order to take money.

The larger point being "Yo can we stop trying to put our money in web browsers?" lol

15 sats \ 3 replies \ @gandlaf21 OP 11 Jan 2023

I got you now!

True.. that is a big issue. Also why we should move on from passwords.

I would hope these kind of apps only hold amounts that are not worth stealing. Pennies or maybe a couple bucks

10 sats \ 2 replies \ @nerd2ninja 11 Jan 2023

Yes! Holy shit the password is so fucking dead. Try to make a password you can remember? Get rainbow tabled. Work hard to learn a difficult password? 1 website gets hacked and now all your accounts are compromised. Password manager? Password manager stores passwords on their server and that server gets hacked. 2fa? Sim swapping.

Just use asymmetric cryptography already!

15 sats \ 1 reply \ @gandlaf21 OP 11 Jan 2023

Hell yeah!

The only fear I have wit PubK PrivK is that the Elliptic curve doesn't offer password reset.. heheheh

20 sats \ 0 replies \ @nerd2ninja 11 Jan 2023

Bitcoin also doesn't offer password reset, but because of Bitcoin we've developed some really good methods for balancing security and availability like geo-disbursed multi-sig

0 sats \ 1 reply \ @randy 11 Jan 2023

" able to gather what you type even if the danger site is merely tabbed away"

What vulnerability allows an inactive tab to gather what's typed outside of its context?

There are many vulnerabilities on the web but most big browsers have pretty good sandboxing with regard to tabs.

0 sats \ 0 replies \ @nerd2ninja 11 Jan 2023

I was going to write a whole post about how it is so so so much worse than this, but then I decided I didn't want to give anyone any ideas lmao