[notnullorvoid]

In general if a script can run, users sessions and more importantly passwords are at risk.

It's true that an HTTP-only session cookie couldn't be directly taken, but it's trivial to present the user with a login screen and collect their password (and OTP), at which point you can easily get a session remotely. It can look entirely like the regular login page right down to the url path (because the script can modify that without causing a page load).

[socketcluster]

Yep, httpOnly cookies just give the hacker a bit of extra work in some situations. TBH I don't even think httpOnly is worth the hassle it creates for platform developers given how little security it adds.

[drewvlaz]

Wow did not realize a url could be set like that without promoting a page reload...

[notnullorvoid]

To be clear only the path and query parameters part of the url can change, the domain (or sub domain) stays intact.

[sdf456]

Even scarier to me than the vulnerability is that Fidelity (whom I personally think is a good bank and investment company) was using a third party that allowed injection that could potentially steal a whole lot of money, affect markets, ruin or terminate billions of lives, and affect the course of humanity. What the fuck.

[DANmode]

Their knowledge of finance is certainly better than their knowledge of web tech.

Historically and today.

[sebmellen]

That’s why I’m a Schwab junkie… but finance is a hotspot for this kind of stuff.

[9rx]

If it weren't already in the same domain you wouldn't be able to read a non-HttpOnly cookie anyway, so that's moot.

[psnehanshu]

Well that's how SPAs work (single page applications)

[jonfw]

How do you modify the url exactly?

[eloisius]

https://developer.mozilla.org/en-US/docs/Web/API/History/pus...

[notnullorvoid]

`history.replaceState(null, "", "/login")`

[rvnx]

For Coinbase docs, this is a disaster particularly

[notnullorvoid]

By they looks of it their docs are under a subdomain, and no part of the domain can be changed when setting the url this way. So it would still look a little out of place at least.

[brianxq3]

I mean, you're not wrong, but this is going to trick a non-zero number of people and that's not okay. We should expect more out of companies like Coinbase and hold them to a high standard.

This is unacceptable and the amount offered in general is low. It feels like we can agree on this.

[Maxion]

auth URLs are almost always a shitshow in every larger corp. Having the url be https://docs.bigcorp.com/sso/authlayerv1/us-east-24/aws/secu... would not stand out at all to anyone.