Published on 2007-03-12 19:45:09

You should know about the Digg button that you can add on your own website and looks very beautiful, but do you know that it opened an XSS exploit ? Well, it looks like there is no need at all to that button to send your Digg vote, since a malicious webpage can hide a script that automatically send your voting for free, of course you have to be logged into the website.

digg-dugg.png


The malicious webpage use the DiggThis API in addition to the diggthis.js inside an iframe, then simply create a new variable that point to the widget object, submit() and that's all ! I bet many didn't want to see this bug reported, and since this have been reported just an hour from now it will take sometime until Digg notice it and provide a fix. For more information, here is the source.

Related Entries

Member of the PHP Magazine Network, Copyright (C) 2005-2008 phpmagazine.net All Rights Reserved