Dugg Without Visiting Digg ?!
You should know about the Digg button that you can add on your own website and looks very beautiful, but do you know that it opened an XSS exploit ? Well, it looks like there is no need at all to that button to send your Digg vote, since a malicious webpage can hide a script that automatically send your voting for free, of course you have to be logged into the website.
The malicious webpage use the DiggThis API in addition to the diggthis.js inside an iframe, then simply create a new variable that point to the widget object, submit() and that's all ! I bet many didn't want to see this bug reported, and since this have been reported just an hour from now it will take sometime until Digg notice it and provide a fix. For more information, here is the source.
Subscribe to AJAX Magazine's feed