Saturday, January 30, 2010

Blogger allows to run arbitrary Javascript

I guess this is a known issue since it's so simple to do it, anyways I think people should be aware of this.
Editing a blog post I realized that Blogger allows to run arbitrary Javascript in the blogs, this is good and bad. It's good because you can post demo code and run it, track users, modify the web pages at will, etc. But it's bad because it can be used as a malware distributing system, to steal information from blog visitors, to exploit browser vulnerabilities, etc.

Naif demo: Click here

BTW: It's not possible to steal Blogger cookies if you are logged since Blogger cookies are used only on and not on *

No comments:

Post a Comment