The app has only local persistence, how can that be attacked with xss? Honest question, i might be missing something
Well the wiki is trying to talk about all xss, but the particular one I was thinking of is the clever attack where you make a keylogger with JavaScript or CSS and its able to gather what you type even if the danger site is merely tabbed away.
reply
oh! feel free to audit ;) code is open-source.
It's good to be cautious though, so I understand if you don't wanna expose yourself. You can spin up a VM and open the site in there, then you don't have to trust me.
You should be doing that anyway, since most of the Internet runs on JS.
reply
Well I didn't mean you put a keylogger in your code, I just meant someone could visit a website that has a keylogger and then keylog a cashu token in order to take money.
The larger point being "Yo can we stop trying to put our money in web browsers?" lol
reply
I got you now!
True.. that is a big issue. Also why we should move on from passwords.
I would hope these kind of apps only hold amounts that are not worth stealing. Pennies or maybe a couple bucks
reply
Yes! Holy shit the password is so fucking dead. Try to make a password you can remember? Get rainbow tabled. Work hard to learn a difficult password? 1 website gets hacked and now all your accounts are compromised. Password manager? Password manager stores passwords on their server and that server gets hacked. 2fa? Sim swapping.
Just use asymmetric cryptography already!
reply
Hell yeah!
The only fear I have wit PubK PrivK is that the Elliptic curve doesn't offer password reset.. heheheh
reply
Bitcoin also doesn't offer password reset, but because of Bitcoin we've developed some really good methods for balancing security and availability like geo-disbursed multi-sig
reply
" able to gather what you type even if the danger site is merely tabbed away"
What vulnerability allows an inactive tab to gather what's typed outside of its context?
There are many vulnerabilities on the web but most big browsers have pretty good sandboxing with regard to tabs.
reply
I was going to write a whole post about how it is so so so much worse than this, but then I decided I didn't want to give anyone any ideas lmao
reply