logoalt Hacker News

ronsoryesterday at 8:22 PM3 repliesview on HN

This is a security vulnerability and should be patched. Sorry, LinkedIn.

(Alternatively extension developers can modify their extensions to block these requests!)

Replies

0cf8612b2e1eyesterday at 8:24 PM

No kidding. I am shocked this works.

Does Firefox have a similar weakness?

show 3 replies
MrGilbertyesterday at 8:41 PM

I'm not sure how you'd patch that. Any request that’s made from the current open tab / window is made on behalf of the user. From my point of view, it's impossible for the browser to know, if the request is legit or not.

show 1 reply
toomuchtodoyesterday at 8:25 PM

Is there no browser setting to defend against this attack? If not, there should be, versus relying on extension authors to configure or enable such a setting.

show 1 reply