I’ve been following the Livejournal hack closely because as someone who runs many services that allow user submitted content, any new developments in XSS are very important to stay on top of. So far the only official technical explanation I’ve seen is here on lj_dev. Since we don’t allow template editing or embedded JS or styles on WP.com I can’t think of any vectors for attack, but you never know with these things. More on moz-binding.
Very interesting links Matt – thanks !
The technical explaination link seems to be broken now, leads to a ‘no such entry’ message….
LJ sez: “Error: No such Entry”
Hmm. Cookies, moz-binding, and a Firefox 1.0.x to 1.5.x change? I’ll have to let that simmer for a while (or catch an lj_dev post before it gets disappeared).
Something I find brilliant about Blogger is that they use different domains for blog admin and blog presentation: blogger.com and blogspot.com. This keeps the login cookies safe from scripts running on blogspot.com. All that’s left is to filter comments, which are sometimes viewed by the logged-in user on the blogger.com domain.
Booo, they deleted it.