<script src='https://audiweb.azureedge.net/audiweb.js' async>
It was unregistered in February.
Used by several large italian newspapers, soccer clubs and sports news sites.
<?php new PDO("mysql:dbname=test;host=db.invalid", "dbuser", "verysecretpassword");
You have to do something extra (catch exception, disable error messages) to prevent it.
The most simple PDO code will have this problem.
It's only a "Note". I wouldn't read "this can leak your passwords" into it.
I never got as many hate messages as when I wrote about this (on Golem.de).
Scenario: A web application wants to communicate with a locally installed software.
Solution: Open HTTP server on localhost, web server can access localhost (e.g. with CORS, JSONP).
If an HTTPS webpage accesses an HTTP origin this can cause browser warnings.
If the local software can run an HTTPS server this means the private key must be part of the software.
... if you find such a software you can break it within 24 hours if you report it to the right people.
beA, Blizzard battle.net, EA Origin, Torrents Time, Mega, ...
It's debatable whether a split web/local application is a good idea in the first place.
Installing a local root certificate works.
But make sure you make it a *custom* local certificate (beA used a shared one).
Newer W3C standard says HTTP can be considered secure if it's localhost.
I saw that some people created bug bounty programs on Hacker One for their personal projects and webpages.
So I created one for my projects, because why not?
No payouts, private / invite only for now.
Several high quality submissions, notably 2 XSS and 2 SQL injections in Serendipity (blog software).
Effectively Serendipity got a free security audit.
You get bogus submissions.
I now had two people warning me about the dangers of exposing my SSH public key.