We were unable to load Disqus. If you are a moderator please see our troubleshooting guide.

Tomer Cohen • 13 years ago

The issue is even worse. Some sites are embedding login to remote websites. Here, for example, you've used disqus for visitor comments, which may require us to login from your own site. Now, can you please tell me how to make sure this is the real disqus login form and not a fake?

Also, please note that sites such as facebook do require secure login, but after that transfer the users to plain HTTP site, which allow man in the middle to grab our session cookies and use our identity. This is what FireSheep demonstrated recently.

MARDY • 5 years ago

NNB6B5

My1 • 6 years ago

I honestly dont know the situation of 8 years ago but disqus ever since I used it, pops open a new windows which is clearly the disqus website which does the login.

the site here is less a remote login but that the whole comments are remote, meaning that if disqus really embedded the login into the pages back then it's THEIR fault.

joepyan • 13 years ago

nice info, tq very much.

wizlynx • 11 years ago

Thanks for giving such an important information.... Login passwords must be secured and different for the accounts to avoid these issues.

Identity Theft Protection • 11 years ago

Very good point. This is a good reason why you should not have the same password for all your logins. At least not for your important passwords like your bank account.

Nikhil Wagh • 7 years ago

I have my site, I tried running your script on my site and it worked. I am curious to know if this can be avoided. How can I make my site more secure and keep such attackers away. Thank you.

michaelvenger • 5 years ago

You cannot avoid phishing mitm/maninthemiddle because of the new thing called sap scrip like I'm on a wifi with a dude that I wanna hack I'll use sap stop so if he writes a pass word I hacker him easily so you just cannot be completely resistant to hackers I'm a hacker my self do you out there if someone starts asking for info how to become a hacker I'll bomb your email with bots so f off please if you are trying to become a hacker or security engenier I'm happy to help you all

Paul M • 6 years ago

This page actually tells you what to do.

My1 • 6 years ago

actually the bookmarklet became semi-useless. even on complete HTTPS pages the script executes nicely, which especially since the advent of devtools in browsers may make sense. this little bookmarklet may run in a seperate context so it can maybe get http scripts into https or whatever.

ipsofact • 5 years ago

what to do after clicking the bookmarklet?

Guest • 11 years ago

Food for thought if i was a hacker and hacked your email address... all your PayPal and bank information is only one "send a reset code to me email because i 'forgot' it" request away...

Saeed Neamati • 12 years ago

What you described here is interesting. But it might happen, only after XSS attack. In other words, if web masters prevent their websites from being the victim of XSS attacks, then everything is OK. 

alexirt • 11 years ago

 @Saeed Neamati - not exactly, you're forgetting Man in the Middle and similar attacks. Imaging a malicious 'free' wifi connection that listens and modifies non secure HTTP traffic