Unfortunately, I don't see how a vb3 site (or many others) can be truly secure at this point.
All a hacker really needs to do is post something like "hey, look at this really awesome thing" with a link to his own server where he controls the HTML and javascripts.
In his HTML there, all he needs is an img tag with src= any url at your vb3 site and he accesses that URL logged in as the unsuspecting user. Stupid browsers send cookies to your site on an img request.
img isn't the only tag, either, script tags work, too, as do css (link) tags, and a few others.
|