[wyldfire]

> This is not a security vulnerability itself because I think they have implemented this for some reason

IMO just because the behavior is by design doesn't mean it's not a vulnerability. That said, this one seems like a grey area. I'd be worried about password information leaking by making TLS attacks easier in this mode.

[ryanlol]

This only affects a specific form that the user might interact with once a year (and that's being really optimistic), I don't really see it generating enough requests to make TLS attacks easier.

[thinkt4nk]

If it increases the attack surface at all, it makes it easier. Being that this site facilitates monetary transactions, I would hope they would be trying to limit their attack surface in any way possible.

I think the real point here is that there are more secure solutions. Saying that it's not all that less secure isn't a great argument.

[ryanlol]

>I think the real point here is that there are more secure solutions. Saying that it's not all that less secure isn't a great argument.

I'd say it's a very good argument, this appears to be a non-issue that doesn't justify the dev time spent on "fixing" it. We don't live in a world with infinite dev resources.

Edit: Since someone appears to disagree, how would you exploit this "bug"?