This post has a twofold goal. Make users aware of the implications of non-secure login forms is one. The other and most important one, given the nature of this blog’s audience, is make website makers and webmasters aware of this problem, and how easy they can solve it.

I’ll also examine the alternative of implementing OpenID as the sole login provider of a website, and how it becomes the most suitable option for the majority of scenarios today.

Read more

Two nights ago I was editing my Digg profile and couldn’t help but think about the recent Mikeyy and Twitter revolt. Within minutes I had found a XSS exploit that could theoretically allow me to achieve the same.

Half an hour later, I had a working worm ready to infect everyone that saw my profile page, which also would propagate to theirs.

Read more