lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEJizbb+f0RH3wYBAfhb8-GCo6KoB0rOja434yS5D7BMFOG64g@mail.gmail.com> Date: Mon, 7 May 2012 16:53:59 +0100 From: Benji <me@...ji.com> To: Gage Bystrom <themadichib0d@...il.com> Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu Subject: Re: [OT] New online service to make XSSs easier People using this service definitely wont be up to anything clever or interesting, so it's barely a concern. I mean really, this is useful? On Mon, May 7, 2012 at 4:17 PM, Gage Bystrom <themadichib0d@...il.com> wrote: > Anyone visiting a compromised site can get the hash, meaning anyone > who is looking for it can find it and lets any random person(assuming > stored) visiting to be able to grab all the cookie values. > > That's not even my personal concern. My concern is why should I trust > the owner? Whether you are a black hat, white hat, or myriad of other > assorted hats you would be allowing sensitive information to sit on > this guy's server. How do we know he isn't silently making a copy of > all the data for his own ends? Simply we don't. > > On Mon, May 7, 2012 at 6:03 AM, <Valdis.Kletnieks@...edu> wrote: >> On Mon, 07 May 2012 02:27:33 +0530, karniv0re said: >> >>> And this is anonymous.. How?? >> >> Haven't checked, but if you set up the userid/password via Tor, should >> be pretty anonymous. >> >>> http://www.getmycookie.com/view.m3?hash=<insert_hash_here> >> >> And you get somebody else's hash value, how? >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists