Security/Reviews/F1 (round 2): Difference between revisions

Security/Reviews/F1 (round 2) (view source)

142 bytes added , 26 September 2011

Confirmed users

169

edits

@@ Line 44: / Line 44: @@
 == Threat Brainstorming (30-40 minutes) ==
-* Screenshot image leakage (potentially sensitive data shows up in screenshots that are shared)
+* <strike>Screenshot image leakage (potentially sensitive data shows up in screenshots that are shared)</strike>
+** '''page screenshot has been removed'''
 ** only works for email which is not in current implementation, might be dropped due to privacy concerns
 ** Shane says probably it will just be pulled out.
 * Can arbitrary content invoke the OAuth flow/dialog ?
-** as of right now yes, this is a property of the injector that needs to be fixed
+** no, the flow/dialog is a part of the flow of the mediator now
+** <strike>as of right now yes, this is a property of the injector that needs to be fixed</strike>
 ** by design no, this is due to reuse of injector code
 *** good thing to test during implementation review/penetration testing
@@ Line 55: / Line 57: @@
 * Starting Share/F1 (or any activity) could be the "new window.open()"
 ** jstenback is the person to talk to about trusted events being required for startActivity
 == Conclusions / Action Items (10-20 minutes) ==
 * [scaraveo]Need to figure out if the temporary part for Twitter OAuth will end up in the product, or if we can cut it out before the first release.