As pointed out here and in the blog's comments, if example.com does a <scrip... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		DrewHintz on Sept 7, 2009 \| parent \| context \| favorite \| on: Sanitising JSON callback identifiers for security ... As pointed out here and in the blog's comments, if example.com does a <script src="http://friendfeed.com/api/feed/public?callback=alert%28docum... the code will run in example.com's origin, not friendfeed.com's. This means it's not an XSS in FriendFeed. When testing for this type of issue, using alert(document.domain) makes it clear what origin the JavaScript is running in. Although the blog did not fully describe a real XSS, developers should not allow characters such as < and > in JSONP callbacks. Does anyone know how to contact security at FriendFeed? [update: there's a bug report form, hopefully someone reads it http://friendfeed.com/about/contact/bug ]

DrewHintz on Sept 8, 2009 [–]

Reporting a bug through their bug report form worked. :)

FriendFeed has fixed the bug. There was a way to exploit this now-fixed issue as actual XSS in FriendFeed for certain browsers. http://code.google.com/p/browsersec/wiki/Part2#Content_handl...

tav on Sept 8, 2009 | [–]

Nice one Drew!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact