Digg.com Begging to be CSRF'd

sla.ckers.org is
ha.ckers sla.cking

Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc....

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Digg.com Begging to be CSRF'd

Posted by: hesum

Date: March 30, 2007 11:27AM

Digg is allowing people to add friends just by clicking a link while logged in. Have they no idea that this is a problem?

I first read about this here (this page actually has the CRSF in it as POC, so make sure you are logged out of digg if you don't want a random person on your friends list):
http://www.thegooglecache.com/rants-and-raves/new-digg-feature-friend-spamming-proof-of-concept/

Official blog entry from Kevin Rose
http://blog.digg.com/?p=70

Options: Reply•Quote

Re: Digg.com Begging to be CSRF'd

Posted by: Ghozt

Date: March 30, 2007 01:45PM

You can also XSS that parameter, you need their username in the URL though.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login