Used a loophole in (some) browser security; normally dynamic/scripted requests are only allowed if they're back to the original server, with cross-origin requests controlled tightly via policy (CORS).
In these cases the browser was allowing cross-origin requests if the destination was the local machine. Combine that with their own apps listening for these requests locally, and you have a data link. This is used to remove the online anonymity by connecting the web user with the app user, which may have profile/contacts access it can leak.
Normally a lax CORS policy may allow a remote destination if the origin server is local, no authentication is involved, and the server aligns with that policy proactively when queried. Big difference there, the locally-served web script is being trusted.
This was the other way around, insecure browser trusting remote script to make a local request.
SithEmpire 0 points 9 hours ago
Used a loophole in (some) browser security; normally dynamic/scripted requests are only allowed if they're back to the original server, with cross-origin requests controlled tightly via policy (CORS).
In these cases the browser was allowing cross-origin requests if the destination was the local machine. Combine that with their own apps listening for these requests locally, and you have a data link. This is used to remove the online anonymity by connecting the web user with the app user, which may have profile/contacts access it can leak.
Normally a lax CORS policy may allow a remote destination if the origin server is local, no authentication is involved, and the server aligns with that policy proactively when queried. Big difference there, the locally-served web script is being trusted.
This was the other way around, insecure browser trusting remote script to make a local request.