Love Ajax? Hate The Exploits
Bringing certain content-updating behaviors to web pages without reloading them has been a key piece of the ‘Web 2.0’ online application meme; it now appears the criminals could have a way to break them open too.
The attack works by using a <script> tag to circumvent the Same Origin Policy enforced by Web browsers.
As my Shmoocon presentation slides discuss, Jikto bypasses the "Same Origin Policy" by using a proxy website like the-cloak, proxydrop, Google Translate, etc.
The concept was demonstrated quite painfully to Google early in 2006. Jeremiah Grossman detailed a GMail flaw that could reveal someone’s GMail contact information. Google fixed that problem shortly thereafter.