<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">>The easiest way I know of is to
      convince the owner of a domain to load a script you control.<br>
      <br>
      Yeah that is pretty much the easiest way, is there a LinkedIn
      integration out there that webmail clients are using? Ick...<br>
      <br>
      > How many pages do you visit that have those Facebook like /
      Tweet / Google +1 buttons on them?<br>
      <br>
      We also have miles of logs of people accessing said sites via
      their client-side APIs because of it, so they stick out like a
      sore thumb. My biggest gripe is that even with the Engineer from
      LinkedIn there is just hand-waving and paranoia. I'm used to the
      network security guys dumping proof online when accusations like
      this are made in that realm.<br>
      <br>
      It seems 99% of "it must be happening" is the paranoia that their
      relationships with people are more interconnected than they think
      they are, and that computer algorithms can figure them out.<br>
      <br>
      <pre class="moz-signature" cols="72">William Roush
</pre>
      On 9/22/2013 3:50 PM, James Nylen wrote:<br>
    </div>
    <blockquote
cite="mid:CABVa4NgHTk7SVA0mhhF7E-ZcJrjW7=KEoOLSc-yJBwgQTv9=3Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">The easiest way I know of is to convince the owner
        of a domain to load a script you control.  Once you do that,
        technically all bets are off and you can capture any interaction
        with that domain.
        <div><br>
        </div>
        <div>How many pages do you visit that have those Facebook like /
          Tweet / Google +1 buttons on them?  Yeah... I think those
          scripts are worth blocking.</div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Sat, Sep 21, 2013 at 2:30 PM,
          William Roush <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:william.roush@roushtech.net" target="_blank">william.roush@roushtech.net</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">I'll bite,
            how DO you gain control of a window you didn't spawn in
            javascript on a modern browser?<br>
            <br>
            I could see it being done with other technologies (ex: java
            applets?) or other exploits (XSS/CSRF), but I'd figure those
            would seem to be a lot easier to detect and we'd have
            evidence before this even came out.<span class="HOEnZb"><font
                color="#888888"><br>
                <br>
                William Roush</font></span>
            <div class="HOEnZb">
              <div class="h5"><br>
                <br>
                On 9/21/2013 2:03 PM, Mike Harrison wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    I'd like to know what they mean by that...
                    cross-window, cross-domain exploits? Aren't those
                    nearly impossible on any modern browser?<br>
                  </blockquote>
                  <br>
                  Not impossible, but I'm waiting for a better
                  explaination of what really happened. LinkedIn and
                  other social media sites are often confusing to some
                  people, and they click [yes] and enter passwords
                  without thought.<br>
                  <br>
                  It might be as simple as morons that use the same
                  password for email as<br>
                  things like LinkedIn, Facebook..<br>
                  _______________________________________________<br>
                  Chugalug mailing list<br>
                  <a moz-do-not-send="true"
                    href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
                  <a moz-do-not-send="true"
                    href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug"
                    target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
                </blockquote>
                <br>
                _______________________________________________<br>
                Chugalug mailing list<br>
                <a moz-do-not-send="true"
                  href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
                <a moz-do-not-send="true"
                  href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug"
                  target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Chugalug mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Chugalug@chugalug.org">Chugalug@chugalug.org</a>
<a class="moz-txt-link-freetext" href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>