How Genius annotations undermined web security
Until early May, when The Verge confidentially disclosed the
results of my independent security tests, the “web annotator”
service provided by the tech startup Genius had been routinely
undermining a web browser security mechanism. The web
annotator is a tool which essentially republishes web pages in
order to let Genius users leave comments on specific passages.
In the process of republishing, those annotated pages would be
stripped of an optional security feature called the Content
Security Policy, which was sometimes provided by the original
version of the page. This meant that anyone who viewed a page
with annotations enabled was potentially vulnerable to
security exploits that would have been blocked by the original
site. Though no specific victims have been identified, the
potential scope of this bug was broad: it was applied to all
Genius users, undermined any site with a Content Security
Policy, and re-enabled all blocked JavaScript code.
– snip –
Skip to content
Education for K12 + Citizens