oh shit. I just found JavaScript code execution in a Gemini browser 😬😬. I’m literally looking at an Alert dialog. (goes looking for developer contact info…)
2 years ago · 👍 eph, lykso, staticvoid, birabittoh, kaylee, comatoast
I think that’s exactly what’s happening @birabittoh · 2 years ago
Can't escape JS even here · 2 years ago
Some browsers actually translate gemtext to html, then use a webview to render the page. that's why you can probably do code injection, but as long as most people use lagrange or any terminal-based client like amfora it should be fine · 2 years ago
not Lagrange 😅. i’m gonna try to get the developer to fix the problem before I talk about it in too much detail. I’m not entirely sure how severe it is because I’m not yet sure what context/origin the JS is executing. doesn’t look like it can access file URIs but I can force it to make network requests, so if it can access privileged information, the attacker has a way to exfiltrate data. i’ve emailed the developer, let’s see what happens. · 2 years ago
which one? · 2 years ago