Google YOLO clickjacking (2018)

dandare · on Jan 30, 2020

> Update. Shortly after thie article was published, Google silently prevented my domain from using the API

That will certainly make the problem go away Google ;)

finnthehuman · on Jan 30, 2020

Security reports at google are the same as any user interaction: they blow you off until you prove your point on Hacker News

dang · on Jan 30, 2020

ethanburrell · on Jan 30, 2020

Hey HN! I really enjoy this type of App Security, anyone know any blogs devoted to this? Or any other places to learn more tricks like this?

Thorrez · on Jan 30, 2020

You might check out writeups for CTF challenges in the web category.

Also check out the Youtube channel LiveOverflow. A lot of the stuff is binary exploitation, but some is web.

EdOverflow · on Jan 30, 2020

Aside from Filedescriptor's work, here are some of my favourite blogs in the web application security space (not an exhaustive list):

There is also this massive list of write-ups that might be of interest to you: https://github.com/ngalongc/bug-bounty-reference.

Shameless plug: I write about web application security at https://edoverflow.com/.

wrboyce · on Jan 30, 2020

You may want to edit your comment so the links are not inside a code block (and thus clickable). Thanks.

EdOverflow · on Jan 30, 2020

Updated accordingly. :)

james-imitative · on Jan 30, 2020

Unenumerated

Thorrez · on Jan 30, 2020

Are you saying there's a blog named Unenumerated that has stuff like this? I can't find it.

Thorrez · on Jan 30, 2020

Obviously related to the Facebook comment jacking post from yesterday: https://news.ycombinator.com/item?id=22176180

Coryodaniel · on Jan 30, 2020

I feel like the cookie button is shady AF

p1necone · on Jan 30, 2020

This is definitely a grey hat blog post.