Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
S
Slack
Submitted None
Team Summary
Official summary from Slack
@fransrosen discovered a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens. We resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited. Thanks @fransrosen for an interesting finding!
Actions:
Reported by
fransrosen
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Violation of Secure Design Principles