Dell is warning customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers.
  • kibiz0r@midwest.socialEnglish
    51·
    8 months ago

    The ban is a dumb policy, but you’re daft if you think the security implications are at all similar.

    TikTok was caught injecting a keylogger into their in-app browser and their response was “Well yeah, but we promise we’re not using it.”

      • kibiz0r@midwest.socialEnglish
        21·
        8 months ago

        No. This is analogous to cross-frame scripting.

        So imagine you go to tiktok.com and you click on a link to bestbuy.com/cool-product-i-want-to-buy. But instead of taking you directly to bestbuy.com/cool-product-i-want-to-buy, it keeps you on tiktok.com and just opens an iframe with a keylogger injected into it.

        So then when you enter credit card info into the bestbuy.com UI, the tiktok.com JS can see what you typed.

        (This scenario is largely impossible these days, due to modern browser security.)

        The difference is that if you witnessed this kind of XFS in your desktop browser, you might notice it because the location bar still says tiktok.com, because you never actually left the site. But in a mobile in-app browser, you don’t need an iframe. You can inject JS directly into the browser itself, making it invisible to the user. As far as you can tell, you’re on regular ol’ bestbuy.com, not a modified version of it.