Duh

Apr 20, 2009 21:47

So... almost three months ago I wrote an exploit that would perform a Type 2 Persistent XSS or a CSRF attack on one of the world's largest profiling sites. Dutifully, I informed them via multiple sources and notified them of how to fix the breach. I have since sent them several reminders, but they have still not patched this hole.

This is not a minor hole. It affects a significant minority of their users. Not so bad. What is bad is that it lets you:

a) Use it as a vector to perform alternative attacks on tens of thousands of vulnerable users
b) Seize accounts (inc. administrative accounts!)
c) Lets you perform actions on certain merchant sites (such as banks) using that users credentials!

It's not as though this site doesn't employ full time staff. It's also not as though the site is small enough to not have the resources to dedicate to a problem like this (it's pretty darn huge).

Although I do believe in public disclosure as a source for good, if this problem doesn't worry the site now I doubt putting up the vulnerability will do anything but put more innocent users at risk. To date, users have been complaining about minor attacks (such as advertising redirects) using the exploit but I haven't seen it used seriously in the wild. Given the power of the attack, perhaps this is simply because no one wants to step up to the plate.

On the other hand, it's only a matter of time before somebody loses money... or somebody hijacks an administrative account. Getting to say 'I told you so' isn't going to be much consolation either way.

As usual, there's a simple fix for you if you're reading this blog:

Firefox and NoScript. Don't leave localhost without it.

Went ghost hunting last night. Didn't find anything terribly exciting. We found one interesting light artifact... but it was nothing more than that. When viewed through my NVGs (yeah, I bought some night vision!) there was a pitch black shadow cast against a tree. Whilst we couldn't explain why it was so black, it's clear where the shadow originated from. It was otherwise pretty uneventful.

Developing an iPhone web application that'll encapsulate a few of my security tools. Currently it has Sciolist, my SSL vulnerability scanner, and I'm writing a port scanner and HTTP web server analyser to go alongside it.

Bought Munchkin Quest and played it with a friend who slept over. It's a little more complex than the other Munchkin-brand games, but it's still good fun. It's like an amalgamation of all my favourite board games. My new friend is also a Magic fan :]. I did, however, get little sleep over the weekend... and I'm somewhat ill. So I've got little energy at the moment.
Previous post Next post
Up