💾 Archived View for station.martinrue.com › acidus › 2b99fac39f9f4b22a94ea16e5e1f261b captured on 2023-04-26 at 14:38:11. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-03-20)

➡️ Next capture (2023-09-28)

-=-=-=-=-=-=-

👽 acidus

oh shit. I just found JavaScript code execution in a Gemini browser 😬😬. I’m literally looking at an Alert dialog. (goes looking for developer contact info…)

1 year ago · 👍 eph, lykso, staticvoid, birabittoh, kaylee, comatoast

Actions

👋 Join Station

5 Replies

👽 acidus

I think that’s exactly what’s happening @birabittoh · 1 year ago

👽 moddedbear

Can't escape JS even here · 1 year ago

👽 birabittoh

Some browsers actually translate gemtext to html, then use a webview to render the page. that's why you can probably do code injection, but as long as most people use lagrange or any terminal-based client like amfora it should be fine · 1 year ago

👽 acidus

not Lagrange 😅. i’m gonna try to get the developer to fix the problem before I talk about it in too much detail. I’m not entirely sure how severe it is because I’m not yet sure what context/origin the JS is executing. doesn’t look like it can access file URIs but I can force it to make network requests, so if it can access privileged information, the attacker has a way to exfiltrate data. i’ve emailed the developer, let’s see what happens. · 1 year ago

👽 smokey

which one? · 1 year ago