Session Desktop (@session_app) has a critical Electron misconfiguration that turns any XSS or code injection bug into remote account compromise. A single vulnerability in message/content handling = complete account takeover. rmoskovy.github.io/posts/session-… #Session #cybersecurity #threatintel

@rmoskovy @session_app the window.getUserKeys() (which returns Ed25519 private key) is explicitly exposed on the global window object via preload.js. This means any XSS in the renderer = immediate key exfil with zero require() calls needed. Still hunting for the XSS sink tho any ideas 🤔?