Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You have bad assumptions. It is all about leveraging access to higher and higher levels.

1. You load the evil JavaScript.

2. That JavaScript adds an image with a URL pointing at localhost:3000.

3. When you load that URL, it causes code execution, causing your computer to open a connection somewhere and start taking instructions.

4. The instructions that arrive includes downloading and installing software that takes advantage of known local root vulnerabilities in OS X.

5. Congratulations! Someone rooted your machine!

Nothing in this path required Rails to be run as root, or JavaScript to directly connect anywhere.



You're right. I wasn't seeing all the angles here. But to say this is limited to Macs seems disingenuous.


It is a tongue-in-cheek reference to widespread perceptions about Rails developers' hardware of choice.


He didn't say it was limited to Macs. He gave it as a random example of what could happen.


I'm pretty sure OP specifically said "Macbook" in the article. But see patio11's comment beside yours.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: