|
|
|
|
|
|
by neotek
3999 days ago
|
|
|
It absolutely changes things, there's a marked difference in severity between encouraging someone to call a number or respond in some other way to written instructions, and capturing their login details on a page they've been trained to trust (i.e., https with a green lock.) I'm certainly not saying there's no issue here - your example perfectly demonstrates a realistic and dangerous use case - I'm merely pointing out that omitting such an important aspect of the vulnerability in the repo readme is disingenuous and materially changes the severity of the issue. To be honest, the omission actually smacks a little of clickbait. |
|
|
fixing everything else is trivial.