ChainCatcher message, Slow Mist founder Yu Xian disclosed an XSS attack targeting the cryptocurrency industry on the X platform. The attacker exploited an XSS vulnerability on the cryptocurrency media Cointelegraph website to lure target users to open the Cointelegraph official link (with XSS malicious script), thus:
The malicious script is loaded and executed;
The address bar is set to a suspicious address (at first glance, it looks like an unofficial draft);
Then a fake Sign in with X pop-up appears;
After clicking Sign in with X, the third-party application authorization for X opens, and there is a huge blank space in the permissions list. If you are not careful and click to authorize, the permissions related to your X will be taken over by the attacker.
This type of phishing, slightly exploiting vulnerabilities, is even more difficult for the public to guard against, requiring extra caution.