Items tagged security in Jan, 2007
MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got GoDaddy.com to redirect DNS for seclists.org after a list of phished user accounts posted to the full disclosure mailing list list was archived there. # 26th January 2007, 9:57 am
Most of the arguments I hear against OpenID are based on mis-understandings of the specification, but there is one that can’t be ignored: OpenID is extremely vulnerable to phishing.[... 531 words]
The NHL’s All-Star voting disaster. The NHL ran an online poll to decide which players are picked for their All-Star Game. The only authentication was a poorly implemented CAPTCHA. Unsurprisingly, it got gamed. # 19th January 2007, 9:50 am
Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services. # 14th January 2007, 1:36 pm
The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline. # 11th January 2007, 4:23 pm
If you are subject to an XSS, the same domain policy already ensures that you’re f’d. An XSS attack is the “root” or “ring 0” attack of the web.