A hacker called SeeMe showed that one of the largest independent OpenID providers is vulnerable to a cross-site scripting attack.
According to
The Hacker News, the hacker made a proof-of-concept page just like in the case of the
Speed Bit search engine we saw yesterday.
By making use of the flaw, attackers can steal a session ID of a valid customer which they can use to browse the website logged in as the victim.
“The session ID is very valuable because it is the secret token that the user presents after login as proof of identity until logout. If the session ID is stored in a cookie, the attackers can write a script which will run on the user's browser, query the value in the cookie and send it to the attackers,” the hacker said.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
