Edit: We took the behavior to point out this flaw in Facebook because, even though interesting, it was getting to be annoying because Facebook was ...
For further actions, you may consider blocking this person and/or reporting abuse
I just tried on Facebook, Instragram, and Twitter and they all seem to be fixed.
Not really... :)
steemit.com/security/@gaottantacin...
Affected browsers and social media platforms:
Chrome: Linkedin, ..
Chrome for Android: Facebook, ..
Edge: Facebook, Linkedin, Twitter, ..
Firefox: Facebook, Linkedin, ..
Opera: Facebook, Linkdein, ..
Safari: Facebook, Linkedin, ..
That is brilliant post.
Very well explained. I didn't know that vulnerability.
This article has some real life examples.
And now you can imagine some really bad attack.
I redirect to a Facebook like website I own that said "You've been disconnected, please reconnect". And boom, you have the user password.
Just brilliant.
So it is just vital to add the noopener value.
Is this vulnerability only exploited on pages where users submit or upload information? The reason I'm asking, a site I'm assisting, uses target="_blank" on many pages but most of the pages are only displaying information and user's are not submitting or uploading content.
It's only really a thing if you can't fully trust the pages you're linking out to. And as described, there are ways to mitigate this to a good extent.
Not sure if they fixed it in all social networks, or dev.to doesn't have the opener script anymore. I've tried a jsbin but didn't work either.
Is this vulnerability only exploited on pages where users submit or upload information?
Surely this is fixed now?
Thank you for sharing and explaining in detail. We'll make changes to the site.
Thanks Ben, literally a life saver