What is Digg?5 Comments
- nagumo, on 10/12/2007, -0/+1Go Fortify!
- schestowitz, on 10/12/2007, -2/+3This is a generic JS flaw. It has nothing to do with Yahoo, Microsoft, or Google, as the title suggests.
- nagumo, on 10/12/2007, -0/+0xuminator:
The two things you can do to fix it are:
- Verify the authenticity of requests by putting unique identifiers in them
- Require JavaScript/JSON be modified before it can be eval'd by putting it in a comment block or adding a while(1); to the top - xuminator, on 10/12/2007, -0/+0Good job guys! Now how do we fix it ;-)
- cheald, on 10/12/2007, -0/+0For the lazy, the upshot is this:
Assuming that the app is sending back JSON data, an attack can steal the contents of a security-validated JSON response by tricking the user into visiting a malicious site after logging into the legit app. This is done by overloading the setter on a known field on the JSON object so that the malicious app gets access to the remote object and can do whatever it wants with it as it is being created, as the setter overload grants access to "this", including sending its data off elsewhere.
Interesting vulnerability, but I'd argue that it's more a vulnerability in the browsers' permission models which allow overloaded setters to be called on remote code. The recommended fix is that each call to an XHR action be verified with a random value that is generated, stored in the session, passed in as part of the XHR request, and validated against the value in the session, preventing access to the action without previous immediate access to the page that the action was expected to be called from. This has extremely high potential for breakage in a tabbed browsing environment, though.
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is