Hi. > In reality, I have yet to see any evidence that this problem actually > exists in the wild.
I'd caution against dismissing this possibility out of hand. > A potential hacker would need to find a site that delivers private data > in this very specific fashion, build a page to exploit that, then have > you visit his page AFTER you have already logged in and established > a session on the other site. It's really the second point that seems to make this unlikely but please consider that some very high profile sites have exposed XSS vulnerabilities. The myspace worm for example got millions of hits: http://namb.la/popular/ Don't think that hasn't happened on that scale elsewhere (it has) or won't happen again on another equally high profile, high traffic site (it will). The key is that any site that has a XSS vulnerability can be used by an attacker to do session riding on everyone who visits. > A potential hacker would need to find a site that delivers private data > in this very specific fashion This is still true, so if you care, don't publish your data this way. ------>Nathan -----Original Message----- From: jquery-en@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Matt Kruse Sent: Monday, April 16, 2007 8:01 AM To: jQuery (English) Subject: [jQuery] Re: JavaScript Hijacking - Jquery among the vulnerable ones On Apr 16, 9:11 am, "Scottus " <[EMAIL PROTECTED]> wrote: > The single take away (true point) they don't point out is that if you > use any javascript hosted on a remote server (google adwords for > example) fully compromises any page that host these scripts. I don't think that has anything to do with the article. > So for any site that needs security Don't host third party > scripts/content problem solved. Not at all. That has nothing to do with it. I think your conclusions are based on a misunderstanding of the article. The true take away of the article is something that has been known for a long time, and rarely actually exists in reality: Don't deliver a JSON response containing private information that consists of an Array literal as the base object, in response to a GET request that uses only session authentication. In reality, I have yet to see any evidence that this problem actually exists in the wild. It's a theoretical security concern (not even a flaw) that is interesting but has very little practical application. A potential hacker would need to find a site that delivers private data in this very specific fashion, build a page to exploit that, then have you visit his page AFTER you have already logged in and established a session on the other site. In other words, that's not going to happen. IMO. Matt Kruse
