re: Evil Session Tokens VIEW POST

re: Thanks for your reply, but we've clearly crossed wires somewhere. S1MPLES.COM doesn't need to access the cookie. It just has an image that links ...

Yes, the browser does an authenticated GET request to SIMPLE.COM. Please describe again how S1MPLE.COM gets hold of the cookie that the browser sends to SIMPLE.COM (and not S1MPLE.COM)? You are claiming that the malicious hacker web app can issue GET requests to retrieve private data. How? S1MPLE.COM can make my browser retrieve data from SIMPLE.COM into my browser. Which it does for me anyway. What is the genius idea that allows a website to steal my private data by embedding an image that links to SIMPLE.COM, when said private data never reaches that website?

code of conduct - report abuse