Web 2.0 is vulnerable to attack (nasty AJAX/JSON exploit)

[brett]

This article's not very clear on what's going on. Here's the actual advisory: http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

[kogir]

This is far from new, but it is a problem. Ironically, the old school SOAP 1.1 way of doing things (with a header and a post) is immune from this.

Also, correct me if I'm wrong, but isn't JSON and the script tag way of calling things explicitly designed to DEFEAT the same origin policy? If the entire point of your data transfer method is to make it possible for anyone to request your data, you should only send data that everyone should be able to see =P

[far33d]

It would be fun to take bets on which of the 12 toolkits will fix the vulnerability first.