ETHSecurity Community

I came across a protocol that's done over $100M+ in volume with big customer names, but their frontend auth is poorly designed. They're exposing WebAuthn details, which isn't the main issue — it's the fact that they're also leaking customer emails. This opens the door for social engineering attacks, making it far too easy for attackers to target them.

If you're a non-custodial protocol, avoid advertising your customers — especially if I can easily identify which users are using your system and whether they have admin-level access.

now /backpack • building @so many products • prev. @everyname (acq) @nethermind @proximacapital @consensysacad • thomphreys.com