I have been reading this - http://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html
I do not understand it completely. The PoC displays an alert to the user. How does this help an attacker?
From trying to understand that PoC, would it not rely on a CSS id of blah being present?
How would you know in advance that it is different fro authenticated users from non authenticated users, and how is that difference being checked?
from the code snippet, yes, it does rely on the id 'blah' being present. But there are many other ways to find an element inside of the DOM.
It is correct that there needs to be an HTML element with a specific id, but the "attacker" will be in control of the HTML elements. The point of the demonstration is that if you're the owner of a website, say example.com, you can create a page that will figure out whether or not your visitors are logged into Myspace. The author just uses an alert to demonstrate this, but a real "attacker" would do other things with this information.
Again, example.com can know whether or not you're logged into myspace.com.
That's information leakage. It's not terrific, but it's leakage that shouldn't occur. Whether you can do anything useful with this information or not is another topic.
Aside from potentially helping to identify if a session or cookie is worth 'stealing' (though I'd dispute it's validity for doing so), this method doesn't really yield any great benefit, unless someone is foolish enough to have user information in the CSS itself (as the blog post itself mentions). The only real way I could think of this being valuable is if, for example, the CSS defined some background image, or such, with a login, such as: www.yoursite.com/generateBackground.php?forUser=MyUser&withPass=MyPass - but in that case, you have far more comprehensive problems.
I'd consider this sort of 'attack' (I use the term very, very loosely here) to be a bit of a misnomer, as it's only about as useful as finding 'log out', or some other arbitrary string in some HTML (yes, I realise HTML/DOM-based XSS are largely protected-against). In either case, as you rightly say, it doesn't really help anyone, other than potentially giving them some hardly-useful information.
From trying to understand that PoC, would it not rely on a CSS id of blah being present?
I think it’s rather a CSS rule that changes the class show that is used in this case. And the problem here is that browsers are too tolerant when trying to parse documents.
In this case I guess the linked “stylesheet” is an HTML document that contains a CSS rule for the class show that changes the margin-top value significantly. The ID blah is just used to get a quick handle to that element with the class show.
Now to your other questions:
How does this help an attacker?
Not much. Since I think the linked “stylesheet” is only interpreted as stylesheet, you’ll probably don’t get more information than the stylesheet that is used there.
How would you know in advance that it is different fro authenticated users from non authenticated users, and how is that difference being checked?
I guess he’s a MySpace user too and noticed that there is an additional CSS rule when he’s logged in.