If you use Google to send email, organize photos or help administer your website, doomwatchers have cataloged three new ways to steal your data and compromise the security of your users. All three of the techniques rely on cross site scripting, or XSS, in which hackers inject unauthorized code by making it appear as if it's …
So if I just delete all my contacts from address book, they cant steal them, hell yeah that'l work.
just say no to js
Of course, XSS, can be prevented if the sites in question are ruthless with input filtering and html quoting. If. Having some js to do frame breakout will make iframe injection attacks pretty obvious. Ahh, frames. Don't you wish you could go back in time and give that smartarse at Netscape a good kicking. It would have been nice for a site to inform the browser than js should be disabled for this page regardless of any other setting or outer frames. But it's way too late for that.
CSRF is a trickier beast. It's your site (which naturally is perfect) being attacked by a badguy or compromised site. As the request comes from a legitimate user of your site, or technically from their browser, discriminating a genuine request from a bad one is a knotty problem. A solution being to ask for their password to confirm serious actions.
Or, ironically, have some js detection code to say "This site best viewed with JS off."
The joys of unintended consequences...
I wondered how long it would take
someone to notice this I generally avoid js I am allergic to client side code but there things they want to do that require the browsers help so I oblige knowing full well there isn't too much chance it's safe may god have mercy on my watery soul. Still it's good to know I am not alone.
None of the 'exploits' work
Yeah very classy article, and excellent research too! Well done Reg!
Oh, wait a minute, these exploits are a bunch of crap and don't work.
Did the author test the code before he submitted this article?
Just try logging into uk.yahoo.com with XSS turned off. Takes about 6 authentication pages, as it jumps from one site, to another to another, each one no longer handing the info across. (As if they ever should have: nice design folks)
Did you read the article?
"A Google spokesman on Monday afternoon said the flaw had been fixed."
"We plugged both addresses into version 7 of IE and only the latter appeared to work, so it's possible that ICANN has already plugged the hole."
Maybe, just maybe people are fixing the problem before you got your mouth and brain into gear....
i am sure that a few java programmers (they probably also like ridiculous linux) will be offended by this post but to them i say, see you next tuesday.
Ex Pat wrote:
Oh, and Ex Pat: "ridiculous linux"? You mean the platform that powers so many web servers across the world? Including - oh my - The Register itself:
Server: Apache/2.0.54 (Debian GNU/Linux)
You *might* wanna consider a bit of research before shooting off at the mouth. It might just help you look a little *less* dim.
@Liam the gay lemming
Er, less dim? Java, smava. Who cares if they are different, they still are based on the same crappy foundation and all suck regardless.
Just because linux powers a few web servers does not make it automatically a good product. iTunes unfortunately powers my the syncing of my iPod but it still sucks as a product.
in most browsers.
It was designed as a "prototype"d language but you can downgrade to an OO
style of programming if you want. (In practice most JS programmers downgrade to a K&R C style of programming).
Java is a C like langauge compiled to a virtual machine language which runs very inefficiently on most browsers.
The only thing they have in common is the use of curly brackets to denote a block of code.
Try "http://www.masswerk.at/JavaPac/JS-PacManPlus.htm" to see what can be done in pure JS.
you are a really boring person. stuck reading Linux User in the basement with Liam the gay lemming. At least we now know who does the rubbing while he is turning the pages.