...loading from cdn.discordapp.com

1. create form element with a malicious POST request
2. create label for submit button
3. size label to cover the entire screen or some important ui element (the report button, for example)
4. ???
5. profit

@pastelpunkbandit it's also a *massive* security vulnerability. Your post can easily overlap the entire page, overlapping/replacing UI elements etc. Like smh at least iframe your user content

@pastelpunkbandit it's hard to tell what is/isn't possible without having an account, but it's not looking good..

@charlag sure, gmail for example will strip a position: fixed so you can't overflow outside the email content section. I can't really tell if cohost strips anything since I don't have an account, but they seem to give users a lot of options so uhh, yeahh

imo there's also a big difference between clicking an email which then influences the screen, versus scrolling through a timeline where anything could show up (and mess with your cursor, for example)

@f0x apparently one needs an invite code to post so could you text this for me:

<img src="invalid.tld" onerror="alert(document.cookie)"/>

If it works they really messed up, which wouldn't surprise me considering none of the inputs on the sign up page have correct labels

@dysphoricunicorn i don't have an invite either hah, but it wouldn't surprise me much either

@f0x oh, that's a shame :/

@f0x you could also do fun things like search for all boost buttons on a page and auto click them, making the post propagate virally

@dysphoricunicorn yes, like the tweetdeck xss self-boosting tweet :D