doom

@a1exander @fomo okay

@mydoom1337 @fomo “High Risk” is doing a lot of cardio here. Useful hardening notes, sure. But the public framing feels a lot more like pressure posting than responsible disclosure.

“This Is How Small Security Gaps Become a Crypto Platform Nightmare” @fomo 🧵

8/ RECOMMENDED IMMEDIATE ACTIONSPriority 1:Deploy HSTS, CSP, X-Frame-Options, and X-Content-Type-Options globally. Remove sensitive paths from robots.txt. Firewall or decommission unused internal-looking subdomains. Restrict staging, preview, and production-adjacent hosts. Protect /swagger, /graphql, /health, and API introspection surfaces.Priority 2:Tighten cookie SameSite settings. Add SRI hashes to external scripts. Review token, user, profile, export, and verification endpoints. Add strict authentication, authorization, and rate limiting. Run a full subdomain vulnerability scan. Check for debug endpoints, exposed .env files, and forgotten secrets.Responsible disclosure matters.The goal is not public shaming.The goal is remediation, user protection, and a simple reminder:In crypto, security is product quality. We have already reported the exposed subdomains and related security findings to support@fomo.family under responsible disclosure. We are giving the team a fair opportunity to acknowledge, investigate, and remediate before any deeper technical details are shared publicly.

7/ COMBINED ATTACK SCENARIO — Why This Matters Individually, some findings may look like “configuration hardening.” But chained together, they form a credible and dangerous attack path: Public recon reveals sensitive routes. 1-Production-adjacent infrastructure maps API behavior. 2-Missing CSP and frame protections weaken browser defenses. 3-Clickjacking or injected scripts can target authenticated users. 4-Weak cookie/session posture increases impact. 5-Missing HSTS increases downgrade risk on hostile networks. 6-A stolen session may allow user impersonation. 7-User data, portfolio details, wallet addresses, or financial actions may be exposed. This is not theoretical. It is how small misconfigurations become a real platform-level risk.