I recently was driving a lot, and so I caught up on some missed episodes of Security Now! and it turns out that someone else found the same kind of bug that Lucas and I discovered and made a whole attack scenario out of it.
Now, Lucas and I explored this and Lucas went so far as to build a really cool and complex system out of this concept that we use at Mog.com to serve adds intelligently. If you look at mog.com ads, you'll see that we use a variant of the technique that has been demonstrated to perform cross-domain ajax.
But even though we had a working demonstration, there is no credit or recognition. In fact, security professionals shouted us down with a resounding "DUH!" Bummer, eh? I know someone could argue that we didn't show how to attack without local domain permissions, but that's because we deliberately left it out. We obviously understood it, because we've got existing work using it. :)
Tuesday, December 19, 2006
Subscribe to:
Posts (Atom)
