[paledot]

Or exfiltrate their session cookie, or post spam/phishing links on their behalf...

[sillysaurusx]

Session cookies are generally not available to javascript. The latter is true though.

[None4U]

Perhaps HttpOnly wasn't as prevalent back then?

[matsemann]

Yup, no CORS either, all protections relied on having proper CSRF-tokens, but with JS access one could read that token as well.

My "hack" was mostly pretty harmless. Just did some layout changes to make my profile cooler. But the door was wide open for anything.