I've seen (and helped develop) some proof of concept hacks to get all sorts of data from a users computer.
So far the best is compromising a users Myspace page.
Another good one I have seen (not worked on this one tbh, just seen the demo) is a combination attack on Facebook and the users email address. It works for Hotmail, Gmail and Yahoo... so pretty much everyone. If your logged into Facebook and into your mail provider it can reset your password, change your mail and lock you out in under a minute.. all from YOUR computer.
I imagine Twitter would be fairly similar to effect as well.
Could you point me in the direction of some more information on these attacks? Presumably they're XSS attacks, but I can't imagine how services like Facebook and Gmail are vulnerable to them. Does Facebook integrate with common webmail services or something?
There isn't a lot of information. I believe there are some white papers in progress. But the other poster is right: it is based on XSRF attacks and screen scraping.
I've seen (and helped develop) some proof of concept hacks to get all sorts of data from a users computer.
So far the best is compromising a users Myspace page.
Another good one I have seen (not worked on this one tbh, just seen the demo) is a combination attack on Facebook and the users email address. It works for Hotmail, Gmail and Yahoo... so pretty much everyone. If your logged into Facebook and into your mail provider it can reset your password, change your mail and lock you out in under a minute.. all from YOUR computer.
I imagine Twitter would be fairly similar to effect as well.