Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It doesn’t have the keys, but it can inject any javascript and do whatever the user can do.


Like intercepting your oauth token next time you login into SSO and then use that to access your tailnet.

This was true even before this new feature.

The new threat model is entirely psychological.


To me it seems they've taken all precautions they can reasonably take -- "what if the user installs a keylogger" isn't fixable by anyone.


"Installing a keylogger" is a vast oversimplification, even if it is outside of their threat model.

Installing almost anything in your browser is usually a matter of a couple of clicks.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: