Would be great to add the options to disable Blur images. #46
Comments
|
Any response from the Devs about this? @dxa4481 @dustin-decker @hxnyk @morph3 |
|
Hey there. The concern is that user data ends up getting captured in BXSS payloads. When your payload fires on a local data scientist's jypiter notebook, and they load all the users up, you could end up with a screenshot with way more than just your user. Pulling other user's data is almost always out of scope for bug bounty's, and it's also questionably from a privacy stand point. I gave a talk on this last year at Blackhat https://www.youtube.com/watch?v=qj0bre85DXY So the short answer is we don't want to enable this feature as it may end up with a lot of data privacy issues. I think we're open to some creative alternatives, like maybe collecting and surfacing all the domains from URL's, or perhaps even a raw count of how many email addresses are on the page, without actually having them revealed. |
Description
I think the addition of the blur cavas screenshot is great, but I think this should be optional.
The text was updated successfully, but these errors were encountered: