Made Jane Doe hack more realistic
author"arangana <arun@mozilla.com>"
Wed, 05 Dec 2012 14:49:20 -0500
changeset 2 b5f589c0882e
parent 1 29781dff983b
child 3 55f4c617ed05
Made Jane Doe hack more realistic
Overview-UseCases.xml
Overview.html
--- a/Overview-UseCases.xml	Wed Dec 05 14:44:57 2012 -0500
+++ b/Overview-UseCases.xml	Wed Dec 05 14:49:20 2012 -0500
@@ -204,9 +204,9 @@
       <p>But at some point in time, a malicious user -- Jane Doe -- with access to the JavaScript console of John Doe's browser does something of the sort:</p>
       <x:codeblock language="es"> 
       window.localStorage.setItem('src', evil_code);
-      <span class="comment">// evil_code sends photos to Jane Doe's personal server.</span>
+      <span class="comment">// evil_code makes requests to Jane Doe's server with data about John Doe</span>
       </x:codeblock>
-      <p>John Doe's use of the social network is thus compromised by Jane Doe's script injection, since the next time he logs in, and <code>init()</code> is called, <code>evil_code</code> is run, which may upload his private photos to Jane Doe's server.  To mitigate against situations like this, the social networking site might do something like this:</p>
+      <p>John Doe's use of the social network is thus compromised by Jane Doe's script injection, since the next time he logs in, and <code>init()</code> is called, <code>evil_code</code> is run, which may make requests to Jane's server with query strings that reveal who John chats with, and even the contents of these messages.  To mitigate against situations like this, the social networking site might do something like this:</p>
       <x:codeblock language="es">
       <span class="comment">// Synchronously retrieve an MD5 hash of the pristine version of the code</span>
       <span class="comment">// This is retrieved from the server</span>
--- a/Overview.html	Wed Dec 05 14:44:57 2012 -0500
+++ b/Overview.html	Wed Dec 05 14:49:20 2012 -0500
@@ -220,9 +220,9 @@
       <p>But at some point in time, a malicious user -- Jane Doe -- with access to the JavaScript console of John Doe's browser does something of the sort:</p>
       <div class="block"><div class="blockTitleDiv"><span class="blockTitle">ECMAScript</span></div><div class="blockContent"><pre class="code"><code class="es-code"> 
       window.localStorage.setItem('src', evil_code);
-      <span class="comment">// evil_code sends photos to Jane Doe's personal server.</span>
+      <span class="comment">// evil_code makes requests to Jane Doe's server with data about John Doe</span>
       </code></pre></div></div>
-      <p>John Doe's use of the social network is thus compromised by Jane Doe's script injection, since the next time he logs in, and <code>init()</code> is called, <code>evil_code</code> is run, which may upload his private photos to Jane Doe's server.  To mitigate against situations like this, the social networking site might do something like this:</p>
+      <p>John Doe's use of the social network is thus compromised by Jane Doe's script injection, since the next time he logs in, and <code>init()</code> is called, <code>evil_code</code> is run, which may make requests to Jane's server with query strings that reveal who John chats with, and even the contents of these messages.  To mitigate against situations like this, the social networking site might do something like this:</p>
       <div class="block"><div class="blockTitleDiv"><span class="blockTitle">ECMAScript</span></div><div class="blockContent"><pre class="code"><code class="es-code">
       <span class="comment">// Synchronously retrieve an MD5 hash of the pristine version of the code</span>
       <span class="comment">// This is retrieved from the server</span>