Of course I wouldn’t have spotted the problems with that vulnerability without careful investigation, if ever! In security, people often have their own technique for finding particular types of problems. Also, just because I strive to write correct software doesn’t mean I do it. However, we do have a responsibility to ensure our software does what we claim it does, and most software products claim to be secure.

BTW- I don’t intend to get involved in a flame war that clogs up this blog… good luck doing your thing.

In the last few months I’ve talked to some outstanding programmers and starting blogging was probably one of the best decisions I’ve made.

I’ve been educated and entertained by your posts, and will be subscribing to your own feed.

Thanks for sharing your work.

Regards
Richard

But this specific vulnerability is the way Safari handles local files, it seems that if a file is run locally or fooled into thinking it is local then the cross domain policy seems to go out the window. Hence why I could access data from other domains.

I would recommend everyone uses an alternate browser until Apple release a fix for the beta as this vulnerability is extremely dangerous, it would be possible to hide the iframe and perform any action on any web site and retrieve data as that person.

Normally I would have reported this to the manufacturer before releasing it to the public but Apple’s attitude deserved otherwise.

>If you want it to work, then write correct code.

Tom, do you write code for the web, where this vulnerability and its consequences would become evident? If you’re not a “web type”, I’m impressed that would have spotted it in a nano-second (as opposed to the long, hard slog Gareth put in to find it). Incidentally, what is it of yours that is bad?

Gareth, could you tell us whether you think what the Safari beta does is what it (or any browser, for that matter) ought to do?

I’d check out a different career field.

But hey it’s not PHP related eh? See how silly some people are.