Mitch Downey :pci: on Nostr: nprofile1q…rtsmm yeah that sounds right. The exploit in that case is limited to ...

nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpqax3gl4llx2j40v2zsleu6760dqxafmv9kmlyhl87taegd9q28wwq8rtsmm (nprofile…tsmm) yeah that sounds right. The exploit in that case is limited to only that specific browser though, since the server has to grant the httponly status to that device. Without httponly, the JWT value could be extracted and set in a different client/device and used freely from there.