After reading Homakov's and Nir's discussions I started looking for some bugs myself. And guess what? ~10 hours later I found another access_token-stealing exploit that has the same implications as Nir's exploit (although mine doesn't work in all browsers). Reported it 2 days ago.
Wouldn't surprise me if there's more bugs/exploits to be discovered :(
And since Homakov gave quite a detailed description of the class of bugs, it would be quite dangerous to use a browser with an active session to facebook now.
[+] [-] judofyr|13 years ago|reply
After reading Homakov's and Nir's discussions I started looking for some bugs myself. And guess what? ~10 hours later I found another access_token-stealing exploit that has the same implications as Nir's exploit (although mine doesn't work in all browsers). Reported it 2 days ago.
Wouldn't surprise me if there's more bugs/exploits to be discovered :(
[+] [-] itsnotvalid|13 years ago|reply
[+] [-] RobertHoudin|13 years ago|reply
[deleted]
[+] [-] sktrdie|13 years ago|reply
[+] [-] delroth|13 years ago|reply
[+] [-] xyzzy123|13 years ago|reply