Lycos pretends to write cross-domain attacks

Lycos runs a free mail service on http://www.mail.lycos.com/. Lycos of course also has an address book, which lives at address.mail.lycos.com . If I'm composing a mail and want to fetch an address from my address book, a simple JavaScript copies the address from the address book to the "To" field of the new E-mail.

The problem with that is that it is a basic security measure of JavaScript that scripts are not allowed to work across different domains.

To the browser, http://www.mail.lycos.com and address.mail.lycos.com are two different sites. Lycos changes the document.domain to avoid security restrictions but ..

1) They do so only after some browser sniffing that means nothing happens if you identify as Opera.

2) The mail does not have any port number in the address, while the address book has. Thus the scripts still fail the origin check.

The first point is definitely a bug in Lycos's script. The second is probably a bug in Opera – we are "too secure" for sites that really do their best to look like they are performing cross-domain JavaScript attacks…

Advertisements

One thought on “Lycos pretends to write cross-domain attacks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s