A page that diggs itself

Make sure you're logged in to Digg.com, then click the "Test" link below. Now go to your digg history, and see for yourself.
This works on Firefox (2,3) and IE (6, 7?), but not in Opera (although it could) View the source to see how this works, or go to my blog to read the details.

Ok, so it doesn't exactly digg itself. It does require the user to click on a link. However, a click can easily be achieved by deception. Imagine that this link was the "play" button on a video. Wouldn't you click?

Also note that this uses nothing but CSS and iframes. No JS at all. NoScript won't save you here (unless you change the default settings and disallow iframes altogeather). All it does is to make use of transparent HTML elemnts and human carelesness.

If JS would have been available (and in 95% of the cases it is), you could also forge POST content. As such, this attack could also do things like chnaging your profile, posting comments in your name, or maybe even forging stuff like eGold transactions. (It's basically a form of CSRF, only this time it beats the random token countermeasure)

What really pisses me off about this, is how dreadfully simple it is to perform this. I bet it was used millions of times in the wild before, but no one seems to care.

Anyhow, be careful online.
-kGen