|
|
|
|
|
|
by icebraining
2845 days ago
|
|
|
Right, but if the social network website can modify the HTML that the Keybase extension is injecting, then surely it can also modify the iframe's URL to an attacker-controlled one? Keybase could minimize that by showing the user's name and/or logo in the iframe. Barring another vulnerability, the site shouldn't know who is logged in into the extension, so they shouldn't be able to fake that. |
|
|