noteworthy wrote:
Conceivably these referring URLs could contain 'private' information. At the moment, they include URLs things like this:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

People should be aware that their web browser may publicize their MemeStreams search queries via the "referer" [sic] header, which may then be posted publicly by YouTube for others to see.

Search queries are frequently exposed via referral URLs, but it is perhaps less common to see them posted publicly like this.

The number one rule of web security is "Don't trust what you get from the client." Rule number 1a (because its derived from rule 1) is "Never give the client anything that is a secret or private because you cannot trust them to keep it a secret."

Given rule 1a, why are you guys considering anything in the URL of a Memestreams link a secret? It's common to make this mistake. Google made the same mistake with the Zoom feature in Google Maps, allowing the Google Maps Zoom Hack.

Who cares about an oid? If your web app is secure, it doesn't matter. Does it matter that the Scarface DVD has a product code of 1234567 on Amazon? No, because everything bad I could do with that knowledge (uses XSRF to add my upcoming book to your shooping cart for example) is protected against.

MemeStreams click-throughs appearing on YouTube