On Thu, May 17, 2012 at 6:32 AM, Andrew Garrett <[email protected]>wrote:
> On Thu, May 17, 2012 at 11:19 PM, Daniel Friesen > <[email protected]>wrote: > > >> > > > > Yes. Except you can get tokens by the api. If we didn't drop permissions > > to anon and reject requests for tokens to JSONP then it would be possible > > for a 3rd party website to use JSONP to extract an edit token, and then > > initiate a background iframe form POST to make an edit under your > account. > > > Read up. :) > > Terry/Roan mentioned that you can use regular JSON output format, and > override the property setter to steal the data. > > We've tried to make sure that there is no way to pull the edit token cross site. That would be a violation of our security assumptions, so we would try to fix it asap. I've actually been looking at the override attack in my spare time for the past few weeks (since I found out the edit token as available in json). I haven't been able to find a browser that it works in yet, although I'm suspicious of IE 6/7 and haven't had the time to test yet. If someone does find a working example for a specific browser, please do notify me! _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
