"In all seriousness, this attack vector is pretty slim. You’ve got to tempt unwitting users to visit your site, and to stay on it while they’re developing JS code."
Wrap the exploit up in a blog post about Rust -- or an article about gut bacteria -- and submit it to Hackernews. Boom, a virtual feast of secrets.
Exactly. I've got a blog with dozens of technical documents about JS and other topics. That would be an ideal place to harvest this type of information, from developers actively looking for a solution to a particular problem.
Are these not already phishing sites of some kind?
I used to have some co-workers who would dump json docs containing sensitive information into these sites all the time, and despite showing them how to format stuff in VS Code.
What is stopping facebook, Reddit, or another popular site you have open while you're developing add this kind of thing and get user info? Or am I misunderstanding something?
Theoretically nothing but it'd probably be a PR disaster even for a site like Facebook if people found out it was trying to steal their passwords. (Is that even legal?)
Would it? They do this sort of thing constantly. Recently Facebook was accused of trying to acquire a malware company to get at user data after iOS security restrictions became tighter. They were also accessing people’s email accounts after requiring their email passwords for login to facebook
Technically, you only get legal issues if you do anything bad with the stolen passwords, but it'd totally be a PR disaster so they wouldn't do it anyways.
Since passwords are GDPR protected data, just saving them (and not using them) without consent is at least a breach of GDPR and illegal in most EU member states.
Wrap the exploit up in a blog post about Rust -- or an article about gut bacteria -- and submit it to Hackernews. Boom, a virtual feast of secrets.