If a person is logged in to Del.icio.us, a questionable query can add links automatically to their Del.icio.us library without any confirm prompt or asking to fill out tag, description and notes. The site needs only the persons Del.icio.us username.
Yes I have contacted del.icio.us to inform them.
Just change the usrhere to your username in the above example. It will go to example.com, but, it will also have added it to your Del.icio.us account page without any prompt. This means, that given the username, and given the person is logged in, a malicious person can add a ton of links to archive without them knowing. They just replace url= field with their site, and modify the other information accodingly.
Login to delicious. Type in your username in the form below. Click change. Click the link.
The above demonstrates the proper way to use this code. Bad sites can open many of those links at the same time on the same page as embedded frames or popups. For example, you give your username, you click submit, the page loads, and now you have 200 of their links in your Del.icio.us page.
First off the malicious site needs to get your username. They can likely do so tricking you into thinking they offer some kind of service like exporting all your links in some format (txt, pdf, firefox compatible, excel,etc)
Next the site needs to open the malicious url, which they modify, adding their pages in the &url= part of the query and your username where it says usrhere.
The person can be messy and lazy by just adding a ton of iframes each with a unique malicious URL. After each one loads, each link is loaded to their book marks.
I'm not sure if this is even a hack, but it definitely can be exploited by malicious people. For now, I use it to add all my blog's pages to my delicious automatically. It's important to protect your username as much as your password in this case, something most people are unlikely to think about. A site offering services like printing out all your Del.icio.us links in excel, exporting to firefox, or making them a pdf could very well likely be fake, and just shove a ton of their URLs on you, getting more traffic from Del.icio.us' most popular list.
This can also be useful in user based sites. Having the person click the "add to del.icio.us" on any page then having the page automatically add itself is just convenient. An option can even be given to the user for those who want to add the details themselves, or have the "malicious" code add the code for them.
I was originally looking for a faster way for users to tag my site, and possibly fill out tagging info for them. I used the questionable url modification to add all the pages of my blog dynamically onto my delicious page.Table 'jimmyr.comments' doesn't exist