L. David Baron @dbaron@w3c.social · Aug 17, 2017 · 10:01 PM UTC

L. David Baron @dbaron@w3c.social @davidbaron

17 Aug 2017

Disturbed by @DonorBox-powered UI's interaction with Web's security model: it asks for bank login/password on origin that's not the bank's.

L. David Baron @dbaron@w3c.social · Aug 18, 2017 · 3:17 AM UTC

L. David Baron @dbaron@w3c.social @davidbaron

18 Aug 2017

The criminal could be someone who sets up a site similar to yours, using something that looks like @DonorBox, but steals the password

L. David Baron @dbaron@w3c.social · Aug 18, 2017 · 3:18 AM UTC

L. David Baron @dbaron@w3c.social @davidbaron

18 Aug 2017

It could also be somebody who hacks the @yimbyaction website, since users entering bank passwords into that site makes it a valuable target

L. David Baron @dbaron@w3c.social · Aug 18, 2017 · 3:19 AM UTC

L. David Baron @dbaron@w3c.social · Aug 18, 2017 · 3:19 AM UTC

L. David Baron @dbaron@w3c.social @davidbaron

18 Aug 2017

The fundamental problem is that the browser URL bar says who you're communicating with. Users should never enter bank password at not-bank.

Aug 18, 2017 · 3:19 AM UTC

L. David Baron @dbaron@w3c.social · Aug 18, 2017 · 3:19 AM UTC

L. David Baron @dbaron@w3c.social @davidbaron

18 Aug 2017

Teaching users that that's OK sometimes is teaching them to do things that put them at very serious risk online.