Author

Topic: Lax Security on a lot of Crypto Sites- be careful everyone- a nice simple check. (Read 99 times)

member
Activity: 84
Merit: 16
Tru Reputation Network Pre-Sale: tru.ltd/tokensale
Posting this here because it's really starting to bug me.

I got asked by a friend why he keeps seeing Google Ads that are clones of known exchanges- sent me a few URLs, and each and every single one was operating not as a clone, but as a XSS attack because the exchanges didn't have the basic security headers set. Some examples of bad offenders:

Binance Header Report - No CSP policy, no XSS blocks, no referrer policy

MyEtherWallet Header Report - Literally embarrassing, doesn't have anything set at all. Despite being told in their GitHub repo how to fix it and being given a pull request.

Everyone- be careful, and scan the sites you use before you get ripped off by someone doing a drive by.
Jump to: