This is my first blog post about web security, and hopefully the first of many. I'd love to hear feedback and I'm happy to answer questions. One of the concerns I had with this post was that it is highly technical, but I feel the issue is extremely important since so many sites are vulnerable to these kinds of issues.

I found it well written. Since I don't code the technical side was, eventually, lost on me but I think I still managed to understand the vulnerability, how you identified and tested it, and the solid job you did bringing it to their attention and being heard.

It would be helpful to elaborate on:

  * what document.domain is
  * what hijacking user's session actually implies

document.domain http://www.w3schools.com/jsref/prop_doc_domain.asp

I know what hijacking a user's session is, what is document.domain though?

This is a good overview: https://developer.mozilla.org/en/document.domain

It was great to hear a story about responsible disclosure working perfectly. Usually all you hear about is when the shit hits the fan and the guilty company is left with their pants down after having months to pull them up.

Thought it was well written. Would like to see a bit more focus on risk i.e. liklihood and impact explored a bit more.

On specific vulnerabilities like this I like the CVE format: e.g. http://www.securityfocus.com/bid/38615/info

information / background, exploit, solution, then some discussion on risk

Digg actually had a similar problem a few years ago with pbwiki running on a subdomain:

http://www.phoboslab.org/log/2008/06/how-i-hacked-digg