Cookies should only be accessible to the site that set the cookie and the computer that accepted the cookie. However, when the site that set the cookie allows people other than the management of the site to put JavaScript on the site, that JavaScript could use the content of the cookie in a manner that doesn't match the policies of the site management (it is trivial to forward it to a remote site for later use in any way desired).
So the problem is a combination of cookies, JavaScript, and a site that accepts content from other sources.
Also, the content of the cookie could be some sort of session ID that is only useful for a limited time and couldn't be used to change your PerlMonks password. However, this particular cookie is just your username and encrypted password and so has no expiration date and can be used to change your PerlMonks password out from under you.
The new feature to remove JavaScript from home nodes is a welcome one even though it still has some bugs and so shouldn't be trusted completely. Lots of browsers and/or gateway/proxy software will strip JavaScript only for certain sites. Note that JavaScript can be a security risk in lots of other situations so you should consider disabling it for most of your surfing (you won't have any more pop-up ads, for one thing) and encouraging the sites that you frequent to allow effective navigation when JavaScript is disabled.
- tye (but my friends call me "Tye")In reply to (tye)Re: javascript perlmonks password insecurity
by tye
in thread javascript perlmonks password insecurity
by Ntav
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |