Comment by notnullorvoid

To be clear only the path and query parameters part of the url can change, the domain (or sub domain) stays intact.

Even scarier to me than the vulnerability is that Fidelity (whom I personally think is a good bank and investment company) was using a third party that allowed injection that could potentially steal a whole lot of money, affect markets, ruin or terminate billions of lives, and affect the course of humanity. What the fuck.

DANmode 2 days ago

Their knowledge of finance is certainly better than their knowledge of web tech.

Historically and today.

sebmellen 2 days ago

That’s why I’m a Schwab junkie… but finance is a hotspot for this kind of stuff.

udev4096 2 days ago (dead)

9rx 2 days ago

If it weren't already in the same domain you wouldn't be able to read a non-HttpOnly cookie anyway, so that's moot.

This item has no comments currently.