

Detecting twitter users with JavaScript - handy or evil? - bdfh42
http://ajaxian.com/archives/detecting-twitter-users-with-javascript-handy-or-evil

======
ErrantX
This is why Javascript is such a worry.

I've seen (and helped develop) some proof of concept hacks to get all sorts of
data from a users computer.

So far the best is compromising a users Myspace page.

Another good one I have seen (not worked on this one tbh, just seen the demo)
is a combination attack on Facebook and the users email address. It works for
Hotmail, Gmail and Yahoo... so pretty much everyone. If your logged into
Facebook and into your mail provider it can reset your password, change your
mail and lock you out in under a minute.. all from YOUR computer.

I imagine Twitter would be fairly similar to effect as well.

~~~
weavejester
Could you point me in the direction of some more information on these attacks?
Presumably they're XSS attacks, but I can't imagine how services like Facebook
and Gmail are vulnerable to them. Does Facebook integrate with common webmail
services or something?

~~~
oddgodd
I suspect the grandparent is referring to a "cross site request forgery"
(XSRF) style attack.

------
invisible
Looks like the link in the script tag doesn't work anymore. Disabled
proactively perhaps?

Either way, being able to see "online" or "offline" is a nice thing to offer
imo, but perhaps they shouldn't offer access to the user's login name (to
prevent phishing effectiveness).

------
pmjordan
The problem with this for me is that it doesn't run in an iframe, say, but
directly in the JavaScript context of the parent page. This means a malicious
site can use AJAX to send all the data it can get back to the server. A
privacy concern if you ask me.

------
ars
Handy AND evil.

