Thursday, October 13, 2005

Myspace CSRF and XSS Hack - Chris Shiflett:
This attack seems pretty harmless (I'd rather not discuss ethical concerns), but it demonstrates something very powerful - a combination of XSS and CSRF. If your site has XSS vulnerabilities, they can be used to launch much more effective CSRF attacks. Rather than only a small percentage of people being affected, everyone is, because the attacker is guaranteed that all victims have an established relationship with the target site, yours.

(Via Planet PHP.)

Mozilla and hypocrisy

Right, but what about the experiences that Mozilla chooses to default for users like switching to  Yahoo and making that the default upon ...