Hacker News new | ask | show | jobs
by persona 2337 days ago
congratulations on the launch! are there any checks done on the backend to guarantee that the website using the "init(appId)" call is the right one? The attack vector here is a fake website - say "userbose dot com" - where the login would be validated by the backend and can now access all data for that user.
1 comments
DVassallo 2337 days ago
Adding origin whitelisting is on the roadmap. We're working on 2FA to prevent phishing.

And thank you!

link