On Thu, Dec 12, 2013 at 12:43:00PM -0800, Michal Zalewski wrote: > What is your exact concern? That page allows drag-and-drop of the user's name. If you can convince the user to select his name with a triple-click and then do a drag-and-drop of that name to some place outside the iframe, you can find out his name, so I'd say it's a privacy leak. Yeah, Chromium has protections against that, but they're not exactly bulletproof – they become useless as soon as there's a single page on the victim domain that is framable and somehow lets the user publish data. This is because Chromium allows drag-and-drop between two frames from the same domain even if those two frames are inside another page and the drag-and-drop goes "through" a page with different origin. Also, as far as I know, not all webbrowsers have such protections.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/