> that doesn't actually give the bad actor any useful information except for the characters used (without the order or number of times they're used)
Keep reading until the part where they use first-line to filter which part of the text to apply the font to and CSS animations to vary how long that first line is.
I did. That still only tells you the first time those characters are used forwards and backwards. It's unhelpful for email addresses where the likelihood of repeated characters goes up a lot and for any passwords where there are multiples of the same character.
It's still a security issue but it doesn't seem like one that would be very practical.
Let's say your password is Refridg3r@t0r. How hard is it to guess that password if you are given the strings Refridg3@t0, r0t@3gdifeR? What about f.lastname@gmail.com => f.lastnme@gico, moc.liag@entsf? You try a handful of possible combinations using this knowledge, and if they don't work, you move on to the next target. Personally, some of my credentials would be very, very easy to guess given this information.
That would be an easier target because it's a dictionary word and it's a single word. But what if your password is 'dogeatdogworld'? What if your password is 'x8GiuG08geejXx'?
It just seems like it would only be useful for the most insecure username/password combos. Again, I'm not saying that it's not a security breach, but the usefulness seems limited unless someone is willing to try and brute force things for an unknown gain.
I think it's fair to say that most laypeople's passwords are not particularly secure, but it's still not feasible to brute-force them unless you can conduct an offline attack. I think this makes an online attack much more feasible on an insecure (read, most) password.
Look at every time a huge password list leaks. I had access to a several million entry user table at the company I worked at in the early 2000s and the #1 pass was "trustno1" and the #2 was "12345678".
Looking back, I have no idea why we stored the passwords in plaintext and I assume it stayed that way until the code was phased out in 2009. This app was used by some of the largest corps in the world, including Microsoft, and was live on the web.
And the animation part to steal dupes. This guy is insane. I'm scared of everything now. If I was the author of Ublock Origin I probably would have just thrown up my hands and switched to pottery.
Raymond Hill (author of uBlock Origin) is doing a fantastic work at the addon on both technical level and the politics, which an AdBlock addon tends to get bashed at often.
Even the smartest of us make mistakes. The right thing to do is fix, learn, and move on.
The author of the addon triaged and fixed it in just five days, which is super impressive.
Keep reading until the part where they use first-line to filter which part of the text to apply the font to and CSS animations to vary how long that first line is.