Proinsias wrote:oh dear. I wouldn't be stealing Brandon's info, that guy owns a sword
Haha! Actually, a friend of mine has a pretty serious sword collection, but I am blade-less.
I believe the attack went something like this. The chat box is an iframe with a basic HTML form in it. It is written in such a way that the username and icon are passed, in clear text, as part of the URL of the iframe (the GET string).This has been abused in the past to impersonate users, and has been improved slightly to include a secret token - in theory, known only to yourself.
The 'attacker' was mostly interested in spamming the chat with a link to his store. Anyone, including myself, who clicked the link for amusement (the guy WAS quite amusing), showed up in the web log of the attacker with a Referrer indicating the URL of the Chat iframe, including the 'secret' token. He could now post as this person quite effortlessly.
Lesson 1: Don't click the links of a spammer, they might be more clever than you give them credit for.
Lesson 2: Don't secure a web session using text that is part of the URL.Chip
, no apology necessary, thanks for looking out.