We have an ex-step daughter who has an account on My Space, which permits anyone to make and cusomize their own web space without the headaches and expense of having a formal website.

We remark on this story because of a story in the Register describing how some script kiddies have found a java script which harvests site login information for My Space accounts.

The script was developed by an internet entity as part of a service offered to My Space users to help them track users who visit an account. The script, which apparently has been captured and is in broad use at the moment, requires tracked users to provide their My Space account information.

But this script harvest information from a users very browser, accessing the cookie and scraping the login information, as welll as any other information My Space saved to the user's computer.

It sounds a little like Ajax to us, whereby a refresh of a script enabled page isn't required to access additional elements of that page, such as feedback from user input. The key is the web server has a promiscuous element which permits the browser to commit minor changes by these elements permitted albeit not immediately offered by the server, submitted by a browser refresh.

The point to all this is whatever the thinking that went into web server security ( and we suspect a program of features overy other consideration ) it has the potential to lay waste to a huge ( 90 million users ) and popular site by opening it to spammers.


It has been 6294 days since this story was posted.
Discussion threads close after five days.
Sorry...
Return to the Free Fire Zone

See the full, archived discussion