Journal Journal: DOM Hijacking Affects Many Large Sites
BugTraq regular and GulfTech Researcher JeiAr has posted up an advisory for Document Object Model Hijacking. He has actual live Proof of Concepts at several affected major sites. These sites include: Amazon, eBay, half.com, CareerBuilder, AOL, CNN, MTV, VH1, HBO, ABC, Monster, Intel, Disney/Go, Orbitz, and Veritas. I have tested the eBay POC, and on a cable modem's dl speed, you can't tell very easily when offsite code is loading, especially when the URL bar never changes. This could lead very easily to stolen identities on any of these sites.
The fact that the actual code used is trivial I think shows just how far most companies have to go in terms of putting security first. If you can't trust eBay to protect your account while directly browsing their domain, who can you trust?
The fact that the actual code used is trivial I think shows just how far most companies have to go in terms of putting security first. If you can't trust eBay to protect your account while directly browsing their domain, who can you trust?
