Cross-Site Scripting Enabled On 1000 Major Sites

An anonymous reader writes: A CloudFlare engineer has discovered that 1000 of the top one million websites, including bitcoin holding sites and trading sites, are running a default setting that enables cross-site scripting. This article details his examination of the top 1 million Alexa sites for evidence of compromised settings and finds that about 1000 of the sites on the list are capable of being compromised because of running a header called Access-Allow-Origin. He found the vulnerability while working on a legitimate use of domain-communication called Cross Origin Resource Sharing for the Stripe API. The header, which Johnson claims the vulnerable websites are outputting, is concluded with a wild-card asterisk, meaning that the sites in question are giving full permission for cross-domain communication via venerable protocols such as SOAP/AJAX XML exchanges.

Bad Summary

Bad summary, as usual. Access-Control-Allow-Origin: * explicitly forbids requests with credentials. Even if the host reflects the Origin domain in the Access-Control-Allow-Origin header, it must also send Access-Control-Allow-Credentials: true to be vulnerable.
https://annevankesteren.nl/2012/12/cors-101