DEV Community


Discussion on: Evil Session Tokens

dl1ely profile image
Stefan Pfeiffer

Yes, the browser does an authenticated GET request to SIMPLE.COM. Please describe again how S1MPLE.COM gets hold of the cookie that the browser sends to SIMPLE.COM (and not S1MPLE.COM)? You are claiming that the malicious hacker web app can issue GET requests to retrieve private data. How? S1MPLE.COM can make my browser retrieve data from SIMPLE.COM into my browser. Which it does for me anyway. What is the genius idea that allows a website to steal my private data by embedding an image that links to SIMPLE.COM, when said private data never reaches that website?