Simon Willison’s Weblog

Subscribe

Tuesday, 25th May 2010

OpenCart CSRF Vulnerability. Avoid OpenCart—it’s vulnerable to CSRF, but the maintainer has no intention of fixing it as “there is no way that I’m responsible for a client being stupid enough to click links in emails”.

# 12 am / csrf, opencart, security, recovered

A New Type of Phishing Attack. Nasty trick from Ava Raskin—detect when your evil phishing page loses focus (when the user switches to another tab, for example), then replace the page content with a phishing UI from a site such as Gmail. When the user switches back they’re much less likely to bother checking the URL. Combine with CSS history sniffing to only show a UI for a site that you know the user has visited. Combine that with timing tricks to only attack sites which the user is currently logged in to.

# 3:20 pm / azaraskin, phishing, security, recovered

Twitter is an open, real-time introduction and information service. On a daily basis we introduce millions to interesting people, trends, content, URLs, organizations, lists, companies, products and services. These introductions result in the formation of a dynamic real-time interest graph. At any given moment, the vast network of connections on Twitter paints a picture of a universe of interests. We follow those people, organizations, services, and other users that interest us, and in turn, others follow us.

Dick Costolo

# 4:54 pm / dick-costolo, twitter, recovered

2010 » May

MTWTFSS
     12
3456789
10111213141516
17181920212223
24252627282930
31