xsshunter icon indicating copy to clipboard operation
xsshunter copied to clipboard
verified publisher icon trufflesecurity

Would be great to add the options to disable Blur images.

Open thezakman opened this issue 2 years ago • 2 comments

Description

I think the addition of the blur cavas screenshot is great, but I think this should be optional.

thezakman avatar Feb 08 '23 04:02 thezakman

Any response from the Devs about this? @dxa4481 @dustin-decker @hxnyk @morph3

thezakman avatar Feb 28 '23 22:02 thezakman

Hey there. The concern is that user data ends up getting captured in BXSS payloads. When your payload fires on a local data scientist's jypiter notebook, and they load all the users up, you could end up with a screenshot with way more than just your user.

Pulling other user's data is almost always out of scope for bug bounty's, and it's also questionably from a privacy stand point. I gave a talk on this last year at Blackhat https://www.youtube.com/watch?v=qj0bre85DXY

So the short answer is we don't want to enable this feature as it may end up with a lot of data privacy issues. I think we're open to some creative alternatives, like maybe collecting and surfacing all the domains from URL's, or perhaps even a raw count of how many email addresses are on the page, without actually having them revealed.

dxa4481 avatar Mar 01 '23 00:03 dxa4481