Web 2.0 is vulnerable to attack
Fortify Software, which said it discovered the new class of vulnerability and has named it "JavaScript hijacking", said that almost all the major Ajax toolkits have been found vulnerable.
...
"JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups," Chess writes in a white paper published today.
And Fortify now claims that attackers can exploit this loophole to log into Ajax applications pretending to be their victims, and then receive any data that this application would ordinarily serve up using JSON.
In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker.
Any ideas if there are security implications for ZCS?