On 16.04.2007, at 17:01, Matt Kruse wrote:
In reality, I have yet to see any evidence that this problem actually
exists in the wild. It's a theoretical security concern (not even a
flaw) that is interesting but has very little practical application.
You can steal personal information from other sites, if users stay in
a cookie-based session while surfing on other pages.
There was at least one Gmail contact list exploit working similarly
"in the wild" already.
Don't deliver private data as JavaScript/JSON unless it's secured
with secrets in the URL.
--
Markus Peter - [EMAIL PROTECTED] http://www.spin-ag.de/
SPiN AG, Bischof-von-Henle-Str. 2b, 93051 Regensburg, HRB 6295
Regensburg
Aufsichtsratsvors.: Dr. Christian Kirnberger
Vorstände: Fabian Rott, Paul Schmid
