« Frevvo, Create Your Web 2.0 Forms Online | Main | Gaia AJAX Widgets, The Alternative To ASP.NET AJAX »

Dugg Without Visiting Digg ?!

You should know about the Digg button that you can add on your own website and looks very beautiful, but do you know that it opened an XSS exploit ? Well, it looks like there is no need at all to that button to send your Digg vote, since a malicious webpage can hide a script that automatically send your voting for free, of course you have to be logged into the website.

digg-dugg.png

The malicious webpage use the DiggThis API in addition to the diggthis.js inside an iframe, then simply create a new variable that point to the widget object, submit() and that's all ! I bet many didn't want to see this bug reported, and since this have been reported just an hour from now it will take sometime until Digg notice it and provide a fix. For more information, here is the source.

Posted by Hatem on March 12, 2007 7:45 PM to AJAX Security |

Bookmark this article at these sites
Post a comment





(Email will remain hidden)





Please enter the security code you see here




Related entries
Email to a friend
Email this article to:


Your email address:


Message (optional):