On Tue, Apr 7, 2009 at 6:56 PM, Matthew Dempsky <matthew@xxxxxxxxxxx> wrote: > As an update, since I submitted my first message, Adgregate changed > their validation mechanism. The current method is still > intermittently vulnerable to replay attacks, but now there's actually > an expiration mechanism to deal with. I've updated http://shinobi.dempsky.org/~matthew/adgregate.html to handle the new validation mechanism. It's basically the same as before, except every 5 minutes (aligned with the hour) the (single, global) validation string changes. You can easily retrieve the current one using curl: $ curl -e https://secure.adgregate.com/vid_m_widget.swf \ > https://secure.adgregate.com/validatewidget.aspx?wid=1 &validation=3F228F6F-6B30-4BB4-A7D0-EF5D7F4ABD54 I'll continue updating the above URL as they (hopefully) further revise the scheme, but I'm going to refrain from spamming BugTraq about it.
