|
|
|
|
|
|
by cbsmith
5014 days ago
|
|
|
Again: If there is JavaScript injection, they can capture the password at the time you enter it anyway. Once you have JavaScript injection, almost any site will cough up all that data without issue. Heck, they can do a full-on man in the middle attack if they so desire. It doesn't appear that merely cloning a login session cookie would get you access to the password, as it does not appear that the server even knows what it is. In fact, this approach they've used seems like it would allow for password challenges whenever Pandora wanted to, which makes session stealing far less effective. |
|
|