Currently Glitch stores user token in LocalStorage which creates security vulnerability where an attacker can create a code or extension to steal it without user’s notice and be able to perform some actions that user would not like. In a conclusion Glitch should store user token in Cookie instead with Secure, SameSite and HttpOnly flags, which will make stealing user token a lot harder.
What do you think, is that a good idea? and why?
Yes, that’s a bad idea.
You also could make a script which collects cookies and sends it to a server which people will auctally do (hence everyone complaining about their robux/accounts being stolen)
There is a tutorial for that which Blogger (a.k.a Google) refused to take down.
Basically you could get cookies and fetch them to a server using JavaScript. Which has happened and people fall for it daily.
It is also easy for people who make YouTube videos to get your token.
also noting you can require fs somewhere and run this
fs.writeFile('/heheboisthetoken', cookie); // the cookie would be their token
I didn’t know fs could run client side. How do you do that?
No 
node.js when you are on /
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.