|
|
|
|
|
|
by mcintyre1994
1795 days ago
|
|
|
If they can run arbitrary JS on the site, can't they just change the target of the login form to their own server and exfiltrate credentials whether you used a password manager to fill them in or not? I'd be much more interested if you could exfiltrate without arbitrary JS, maybe in an img embed with the password injected into the URL or something? |
|
|