Archive

Archive for March, 2008

Financial Site: Open to XSS Attacks and Other Hacks

March 7th, 2008 8 comments

Remember when HotOrNot.com left their site wide open to attacks and I schooled them on it? I just came across a site with similar security issues. I’m not going to post the site in question just yet though. It’s a huge financial site that could really be hurt if they were attacked so I’m just giving them the heads up for now.

Message I sent them:

Your member profile and listing pages are likely open to cross site scripting (XSS) attacks and other hacks at the moment. You can take a look at my profile and current listing to see that I did some light CSS tweaking to customize those pages. I didn’t test any potentially malicious stuff since this is a financial site. I’ll be blogging about this on GhettoWebmaster.com fairly soon. I just wanted to give you guys a heads up so you can get this place secured up.

[Profile Page URL Removed]

[Listing Page URL Removed]

I found similar security holes on HotOrNot.com a while back. Info about that can be found via the below link:

http://www.ghettowebmaster.com/code/hot-or-not/

^^^ Those findings ended up getting plugged by Mashable.com here:

http://mashable.com/2007/05/02/hot-or-not-2/

I love your site / the concept of the whole thing. I’d hate to see you guys suffer through any malicious attacks.

Best regards,
Loren J. Williams (LoLo)

It will be interesting to see how this plays out. Stay tuned ;-)

Update (3/8/08):
Well, the cat is out of the bag. The site in question is Prosper.com….

That second link has an official reply from Prosper about the issue…

We were contacted by this blogger about this vulnerability in Prosper’s site on February 15, 2008. Since we were contacted, we have made the code change that will eliminate this vulnerability; although it has not yet been rolled out (a release is expected this weekend). We appreciate the blogger’s help in finding these vulnerabilities.

XSS attacks can introduce significant security issues. We are investigating right now whether this kind of attack can actually do anything malicious on the Prosper site (many security mechanisms are already in place). Nonetheless, there are no known cases of hackers exploiting these vulnerabilities to date. As I mentioned, we are planning to release a fix shortly.

I’ll post all the details after I get word that the “expected this weekend” patching is done.

In the meantime, you can check-out my borrower listing over there:
Ninjas Need Funding for Anti-Pirate Propaganda Campaign

^^^ Fo’ realz :P

Categories: General Tags: