Did you hear about Earthlink's major advertising gaffe? The bloody details are in Wired magazine this month. Greedy ISPs, like Earthlink, are attempting to monetize the DNS system by showing advertisements when an invalid domain OR sub-domain is entered.
The problem is the advertising they've been serving is vulnerable to cross-site scripting. There are several flavors of XSS attack, but generally they all involve malicious users running their own pieces of JavaScript on vulnerable web pages. In the Earthlink case, malicious scripts could be run on what appeared to the user to be an official subdomain of almost any website: google, ebay, yahoo, etc.
It's a tad more clever than the old "read my flame-war and I'll steal your authenticated cookies" routine. One could easily envision a malicious person using it to obtain actual user names and passwords for, say, someone's eBay account.
This touches on another peeve of mine: websites like Facebook and other social networks that attempt to import your contacts via a web-mail address book using your user name and password. A lot of people consider this a relatively benign piece of information: so a malicious website could hijack my webmail account. Big deal?
It is a big deal: if you're like most people, your web mail account represents ALL OF YOUR ACCOUNTS.
I'll repeat: ALL OF YOUR ACCOUNTS!
This is because most websites you use have no more clever a mechanism to recover lost passwords than by sending you an email, often with a new password boldly displayed in plaintext for everyone and their mother to look at. This is a bad situation we find ourselves in.
