Just One More Thing is a new collective blog dedicated to Apple and Mac stuff.

Last week-end, I’ve discovered a security hole at pssst!, a small Quebecois forum. The comments appear on the same page as the submission fields (post, username, password), and you can (well, you could) put whatever you want in the comments, including Javascript. So I’ve hidden in a comment a script that installed an event triggered by the Submit button that sends to my server the username and password posted, and I got all the usernames/passwords of people who posted after my comment. It was not a very technical hack but nobody thought about it before me.