

H&R Block at risk for injection attack - LeeWhoLikesMath
https://medium.com/p/6a4f71578d7c

======
LeeWhoLikesMath
What is the magnitude of the risk posed by this weakness?

~~~
brianmwaters_hn
There are no details given. I know; the author says up front he's (she's?) not
a security person.

It looks, though, like the user can inject arbitrary JSON into their client
side code. Not very interesting; I'm sure they're doing proper validation on
the server.

~~~
LeeWhoLikesMath
I only just noticed that the registration page where the password and security
question/answer are initially set isn't even https. Even if the input is
sanitized on the server side, that's another huge invitation for an attack.

