Comment 15 for bug 1575913

Agreed, this is certainly worth fixing, and maybe even worth backporting. I'm just questioning whether its severity is sufficient to warrant wider communication given that exploiting it would rely on social engineering or some other vulnerability allowing you to obtain a user's keys or compel them to take some action through the UI/API (in which case there are probably far easier ways to achieve the desired outcome from your victim anyway). The line between a hardening opportunity (D) and an impractical vulnerability (C1) is often pretty fuzzy.