14 comments

[ 2.9 ms ] story [ 32.8 ms ] thread
When I interviewed at Facebook as a new grad 7 years ago, I used my "Ask your interviewers a question" time to ask precisely this because I'd been trying to play around with the client side javascript and the constant infinite for loop always stood out to me.
Cool story! How did it end up?
Been working there since :). I got a better/full answer after joining from one of the security engineers giving one of the starting training talks.
Congratulations! That's a heck of a good story - thanks for sharing.
Yet another reason third-party cookies shouldn't exist
This, and this sort of thing in general, are why I'm not very enthusiastic about security on the web.

Facebook and Google can avoid security holes like these, sure. Perhaps you will too -- that is, you'll avoid this particular one. What about the fifty others, subtly interdependent sources of security problems?

Amazing site, it tells me that I'm offline :)
What's the deal with this? The Atlantic, Wired, and dev.to all tell me I'm offline on first load. I have to use ctrl-shift-R to get any page content, and I've never been offline when this happens.

I mean, I'm assuming there are service worker shenanigans at play here, but given that it's always wrong about my online status, this seems like a fairly big bug on someone's part. Just wish I knew where to file or check its status.

Of course, another approach to securing data might be to stop using things for purposes they weren't designed to be used for in the first place... I'm afraid I don't see that happening any time soon, though.
While the attack is using things for a different purpose, using JSON to provide data to a website is totally legit.

I don't see how people could have prevented this without the knowledge of such an attack

(comment deleted)
Just use explicit authentication for API endpoints. Explicit authentication prevents this attack, CSRF and other confused deputy problems.
Google's version is half the size of Facebook's! I love that some engineer went to the trouble of saving four bytes.
I think this is outdated. I tried in Chrome, FF and Safari, and even when I follow what the original linked article does it still does not work.