I've seen (and helped develop) some proof of concept hacks to get all sorts of data from a users computer.
So far the best is compromising a users Myspace page.
Another good one I have seen (not worked on this one tbh, just seen the demo) is a combination attack on Facebook and the users email address. It works for Hotmail, Gmail and Yahoo... so pretty much everyone. If your logged into Facebook and into your mail provider it can reset your password, change your mail and lock you out in under a minute.. all from YOUR computer.
I imagine Twitter would be fairly similar to effect as well.
Could you point me in the direction of some more information on these attacks? Presumably they're XSS attacks, but I can't imagine how services like Facebook and Gmail are vulnerable to them. Does Facebook integrate with common webmail services or something?
There isn't a lot of information. I believe there are some white papers in progress. But the other poster is right: it is based on XSRF attacks and screen scraping.
Looks like the link in the script tag doesn't work anymore. Disabled proactively perhaps?
Either way, being able to see "online" or "offline" is a nice thing to offer imo, but perhaps they shouldn't offer access to the user's login name (to prevent phishing effectiveness).
The problem with this for me is that it doesn't run in an iframe, say, but directly in the JavaScript context of the parent page. This means a malicious site can use AJAX to send all the data it can get back to the server. A privacy concern if you ask me.
I've seen (and helped develop) some proof of concept hacks to get all sorts of data from a users computer.
So far the best is compromising a users Myspace page.
Another good one I have seen (not worked on this one tbh, just seen the demo) is a combination attack on Facebook and the users email address. It works for Hotmail, Gmail and Yahoo... so pretty much everyone. If your logged into Facebook and into your mail provider it can reset your password, change your mail and lock you out in under a minute.. all from YOUR computer.
I imagine Twitter would be fairly similar to effect as well.