On 02/13/2013 04:08 AM, navashok wrote: > > --- In FairfieldLife@yahoogroups.com, Bhairitu wrote: >> These are XSS exploits. I installed a Firefox Add-On called "XSS Me" >> which will analyze a page for potential XSS exploits. Most sites I >> visited produced nothing. Go to the FFL webpage and the thing goes >> crazy. The Add-On is a geek tool and probably not for non-techs. > Thanks for the tip, I also installed it now, but it didn't find any XSS > vulnerabilities on the Yahoo FFL website. The only complaints were that > certain special signs did not work. > > It's some years back that I looked into XSS, what it was. IIRC it is all > within the browser, it has really nothing to do with the OS. I guess if > somebody steals your session cookie, all you have to do is close your > browser, and delete the cookies for this site, correct? > > When I 'researched' it some years back, I managed to make a photo of my > friend appear on the official LAPD website, of course only in my browser if > follow the prepared link. (I didn't hack the page of course.) > >
I experienced the "effect" of the XSS trick when I signed up for Google+. Prior my blog comments using Disqus (which I despise but it's made for lazy webmasters) used the Yahoo option. Once I signed up for Google+ (basically to comment on an Android developer survey) then Disqus wanted to use Google+ and that took some work to undo. We have this millennial generation of inexperienced "hot shot" programmers who think that "everyone must be connected to the Internet all the time." They also think we should spend all our time on social networking sites and nag you like a 5 year old if you're not. This stuff is not my specialty but after the problem with Google+ a security specialist I know who works for a telecom explained what was going on and that the trick had been around for awhile. I'm not surprised nothing really happened on the FFL page because Yahoo supposedly did fix the problem which they knew about for 6 months. I just didn't have time to look up what the hell XSS Me was really doing other than being a tool. Also I read somewhere that Ubuntu had created a block for it sometime in their version of Firefox (which I am running).
