Safeguarding Your Website — BigScoots
www.androidheadlines.com
Safeguarding Your Website — BigScoots

A security researcher decompiled the White House’s new official app and found some alarming stuff buried in the code, including a hidden GPS tracking pipeline, JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit.

  • auntieclokwise@lemmy.world
    8·
    5 hours ago

    And it gets even stranger. Apparently, the app is loading JavaScript from a random person’s GitHub site for YouTube embeds. Yes, you read that right, it’s just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app’s WebView.

    Somebody has the opportunity to do the most hilarious thing.