I like playing with security... its fun to break things (of my own or with permission) and its what makes security work. If we never tried to break the design and assumed security then the less moral of us would and they would find our code easy pickings. XSS is one of my personal favorites because they are everywhere, usually easy to find, and can be super nasty (sammy is my hero)

So when i heard that Obama was going to make the WHITEHOUSE.GOV website a Drupal site i thought it was quite dumb... i mean its the whitehouse... you need a friggen CMS? hell waste some money on an old fashion webmaster and have it all flat html (i just think that a defaced homepage for america would totally suck) with the code for the site open source I instantly now know about most of the code that whitehouse.gov runs on and i can do my own pen testing before i even try on the whitehouse.gov domain. I wasnt alone in this ha.ckers.org makes these same exact points... and i commented on it

flash forward 211 days

what happens across my RSS feed? do my eyes decieve me? zomg its an article describing how Drupal is redefining its policy to clarify it only supports security on STABLE releases
and...

The clarifications are a response to the discovery of a potentially serious XSS hole in the Drupal Context module three weeks after White House developers proudly released their own plug-in based on the buggy module.

- from The Register

i hate being right

now i haven't looked at the XSS hole myself yet but they said it was in the administrative console (they say that makes it limited i think that now i can steal the admin auth cookies) even if they caught it in time this is the exact issue i was warning about. am I crazy? what do you think? id love to spark off a good discussion on it :)

This video was freaking awesome and it shows the whole start... but i wanted to skip that so heres some extra... to start the youtube video at a certain place you just need to add &start=58 and for autoplay &autoplay=1 to make it auto start...
heres a sample of the code below... im really liking Americas Got Talent and this is ony one of the super cool acts


if your really bored you can go look at my cool share chart and get your own and later fools! lolz :)

I rule teh interwebz

UPDATE

Matt Cutts did his own little debunk here

Original Post

earlier i wrote a post in which I explained "Facebook divulging your identity to advertisers" and again now poor Facebook has another one. This one stems from Google loving Facebook too much... well its kinda like that.They were indexing pages that have no value but have email addresses displayed on them, when you enter your password and it scans your email account address book you choose to have Facebook send them an email on your behalf. now some people may want nothing to do with Facebook and they consider the message spam. So to provide a good experience for these people they give them an opt out link (thanks i really hate those emails) because this is sent to an email address it really should never become public, unless someone intentionally releases it. Here on hacker news a Facebook employee unofficially points out one of the pages that was leaking information (they have removed the address now i think its useful to make sure im removing the right address) but this links should have never been found and crawled... how did they find it? because it was publicly published oh now I get it... Yes Facebook could have done <meta name="robots" content="noindex"> but like other issue its small... quick fix... and those pages even seem to be gone from index already so again we have a minor data leak caused by user themselves that probably never could have been thought of. we dont just sit around and go oh i know some weirdo has no privacy anyways and will post the link publicly spiders will crawl and then people will be able to pull emails out of the search engines index oh noes! im mean we are nerd but we aren't psychic welcome to the digital world. Stay off the interwebz if you dont like it

just my opinion

the infamous

- Carter Cole

leave me your comments id love to agree or disagree with you :)