Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

These days with service workers and what not you might need more than a quick glance at the network log if you suspect the web page is malicious.

Even for non-malicious sites this can be a problem.

I think a notable case of the second category is jwt.io which last I checked definitely seemed to fire a few network requests after I pasted a token.

(Happy to be corrected if this is obviously false or has been corrected later.)

That said I couldn't see my token in one of them but it is scary enough to make me avoid using that site.

BTW, I think their statement/claim

> "Warning: JWTs are credentials, which can grant access to resources. Be careful where you paste them! We do not record tokens, all validation and debugging is done on the client side."

is correct, it's just to scary for me to put client credentials there at all when it isn't trivially east to prove that they aren't uploaded.



> I think a notable case of the second category is jwt.io which last I checked definitely seemed to fire a few network requests after I pasted a token.

They do make request to https://b.6sc.co/ all the time, regardless of you pasting stuff or just having it as an idle tab. Seems to be some kind of analytics that just tracks your time on the page and if you are active or not. With that said, I just fired up a proxy now when you mentioned it, have not actually properly investigated it.


My guess it is just analytics, but as recent events have shown they are then one misconfiguration away from sending highly sensitive data to Facebook or someone else.


I wonder how many analytics domains exist out there unregistered and what you could troll for by registering them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: