"A researcher at Ernst and Young has developed a clever hybrid
of a Gif image and a Java Archive that is being  dubbed a GIFAR,  which
could conceivably be uploaded to any site that allows file uploads and
then anyone who "viewed" it and was simultaneously logged in to their
Facebook, Myspace, or Flickr ( or Xanga! - my edit) account could have their credentials
stolen.  Kudos to Nate McFeters
for discovering /demonstrating such a sophisticated attack.  He is
presenting his technique at BlackHat this week (the premier computer security conference, in Las Vegas this week - my edit and emphasis) with the usual
frustrating omission of "key elements".  In other words, just enough is
left out so determined hackers can figure it out but developers at
Facebook and Myspace (and Xanga! - my edit) will struggle until a working exploit is
deployed.   Nate suggests that web application sites should be
filtering uploads to prevent GIFARs from getting deployed, although he
claims this will be extremely hard to do.    I sure hope the content
filtering and Web Application Firewall vendors are working on simple
tools to make this possible." 

"Nate points out that this is not a Facebook-MySpace issue, it is
true of all sites that allow image uploads.  Hmm, that is ALL blogs (Xanga, too?  no.... yes. -my edit). 
We are talking hundreds of millions of sites.   It will be a long time
(as in never) before that many sites are fixed."  

  - NetworkWorld