Comments on: I know what your friends did last summer http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/ A tool for designers dealing with programmers dealing with designers... Wed, 08 Sep 2010 00:31:30 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1673 Gareth Heyes Tue, 22 Dec 2009 10:44:42 +0000 http://www.thespanner.co.uk/?p=299#comment-1673 @carstein I do follow honest but if you used poisoned UTF-7 data with a json request then you can get most of the data by manipulating the javascript. See my CSP hack. http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/ @carstein

I do follow honest but if you used poisoned UTF-7 data with a json request then you can get most of the data by manipulating the javascript. See my CSP hack.

http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/

]]> By: carstein http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1672 carstein Mon, 21 Dec 2009 13:42:32 +0000 http://www.thespanner.co.uk/?p=299#comment-1672 @Gareth: I don't think I follow you. UTF-7 where? The problem is, that in FF3 you can define Setter for an Object.prototype which gets invoked when you recived JSON object (as a JS, so Object() is being initialized). However, due to tweaks in FF3.5 setters are only called when the value is begin set to an existing object, but not during initialization (so it spoils all the joy of JSON hijack). @Gareth:
I don’t think I follow you. UTF-7 where?

The problem is, that in FF3 you can define Setter for an Object.prototype which gets invoked when you recived JSON object (as a JS, so Object() is being initialized). However, due to tweaks in FF3.5 setters are only called when the value is begin set to an existing object, but not during initialization (so it spoils all the joy of JSON hijack).

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1671 Gareth Heyes Mon, 21 Dec 2009 13:13:35 +0000 http://www.thespanner.co.uk/?p=299#comment-1671 @carstein UTF-7 should work until they fix it @carstein

UTF-7 should work until they fix it

]]> By: carstein http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1670 carstein Mon, 21 Dec 2009 11:45:55 +0000 http://www.thespanner.co.uk/?p=299#comment-1670 It seems that doesn't work in ff 3.5 because setters are ignored when initializing object. Any ideas how to evade that? It seems that doesn’t work in ff 3.5 because setters are ignored when initializing object. Any ideas how to evade that?

]]> By: Frank Polenose http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1558 Frank Polenose Thu, 21 May 2009 16:23:10 +0000 http://www.thespanner.co.uk/?p=299#comment-1558 I had to have a chuckle at Petes comment! Cheered me right up! I had to have a chuckle at Petes comment! Cheered me right up!

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1471 Gareth Heyes Thu, 26 Feb 2009 09:52:30 +0000 http://www.thespanner.co.uk/?p=299#comment-1471 @Pete I think you misunderstood what I actually do. I'm a security researcher. @Pete

I think you misunderstood what I actually do. I’m a security researcher.

]]> By: Pete http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1470 Pete Thu, 26 Feb 2009 09:29:37 +0000 http://www.thespanner.co.uk/?p=299#comment-1470 Hi Gareth I found your name and information on the Security Planet website. Can you help me, or do you know someone who can help me, to crack a gmail password? Thanks Pete Hi Gareth
I found your name and information on the Security Planet website. Can you help me, or do you know someone who can help me, to crack a gmail password?
Thanks
Pete

]]> By: Giorgio Maone http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1408 Giorgio Maone Tue, 13 Jan 2009 10:34:46 +0000 http://www.thespanner.co.uk/?p=299#comment-1408 Get NoScript 1.8.8.95 from http://noscript.net/getit#devel :) http://hackademix.net/2009/01/13/you-dont-know-what-my-twitter-leaks/ http://hackademix.net/2009/01/13/twitter-json-hijacking-updates/ Get NoScript 1.8.8.95 from http://noscript.net/getit#devel :)

http://hackademix.net/2009/01/13/you-dont-know-what-my-twitter-leaks/

http://hackademix.net/2009/01/13/twitter-json-hijacking-updates/

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1407 Gareth Heyes Tue, 13 Jan 2009 09:19:55 +0000 http://www.thespanner.co.uk/?p=299#comment-1407 Twitter has now fixed the problem whoo hoo Twitter has now fixed the problem whoo hoo

]]> By: Gareth Heyes http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/#comment-1396 Gareth Heyes Wed, 07 Jan 2009 17:38:32 +0000 http://www.thespanner.co.uk/?p=299#comment-1396 * Note You need to be logged into twitter using https in order for the POC to work correct * Note You need to be logged into twitter using https in order for the POC to work correct

]]>