Nov 29, 2012 at 05:56PM EST
I understand. I feared this would happen for a long time now.
Allowing clients to run JS on the client-side is, and always has been a massive security risk. At best it can be used for maximum trolling and crashing peoples browsers. At worst, it allows opportunity for click-by malware installation, and as you have seen; you use it to break into people’s accounts or KYM’s databases itself.
It’s known as Cross Site Scripting hacking (XSS) and even my profile mode was an XSS hack in itself, I would just never use it for such malicious intent. But other people cannot be so trusted.
That’s why I always stayed quiet about it as much as possible. Not so that other people wouldn’t have a cool looking profile as mine, but to minimize the risk of the wrong minds knowing about it. All those people who begged me for a profile mod; they simply didn’t know the risks. I knew the risks and the more people flaunted the security hole with their browser ponies, the bigger the risks got. In retrospect I guess I was just delaying the inevitable
Upon seeing an actual XSS hack in action, my reaction would have been the same as the staff: ban it immediately. And for KYM’s safety, it is best to leave it that way.
PS: you can still run JS through onclick/onchange properties on html elements. Ban that too.
Cheezburger Blog Advertising Developers Jobs Contact Us
Sign up Now!