Financial Site: Open to XSS Attacks and Other Hacks
Remember when HotOrNot.com left their site wide open to attacks and I schooled them on it? I just came across a site with similar security issues. I’m not going to post the site in question just yet though. It’s a huge financial site that could really be hurt if they were attacked so I’m just giving them the heads up for now.
Message I sent them:
Your member profile and listing pages are likely open to cross site scripting (XSS) attacks and other hacks at the moment. You can take a look at my profile and current listing to see that I did some light CSS tweaking to customize those pages. I didn’t test any potentially malicious stuff since this is a financial site. I’ll be blogging about this on GhettoWebmaster.com fairly soon. I just wanted to give you guys a heads up so you can get this place secured up.
[Profile Page URL Removed]
[Listing Page URL Removed]
I found similar security holes on HotOrNot.com a while back. Info about that can be found via the below link:
http://www.ghettowebmaster.com/code/hot-or-not/
^^^ Those findings ended up getting plugged by Mashable.com here:
http://mashable.com/2007/05/02/hot-or-not-2/
I love your site / the concept of the whole thing. I’d hate to see you guys suffer through any malicious attacks.
Best regards,
Loren J. Williams (LoLo)
It will be interesting to see how this plays out. Stay tuned ;-)
Update (3/8/08):
Well, the cat is out of the bag. The site in question is Prosper.com….
That second link has an official reply from Prosper about the issue…
We were contacted by this blogger about this vulnerability in Prosper’s site on February 15, 2008. Since we were contacted, we have made the code change that will eliminate this vulnerability; although it has not yet been rolled out (a release is expected this weekend). We appreciate the blogger’s help in finding these vulnerabilities.
XSS attacks can introduce significant security issues. We are investigating right now whether this kind of attack can actually do anything malicious on the Prosper site (many security mechanisms are already in place). Nonetheless, there are no known cases of hackers exploiting these vulnerabilities to date. As I mentioned, we are planning to release a fix shortly.
I’ll post all the details after I get word that the “expected this weekend” patching is done.
In the meantime, you can check-out my borrower listing over there:
Ninjas Need Funding for Anti-Pirate Propaganda Campaign
^^^ Fo’ realz :P
There are a bunch of users of the site in question at http://www.prospers.org/forum/ who would like to chat with you if you’re interested. It’s a 3rd-party forum that acts as an unnofficial but vibrant community of the site you hacked.
I was sleeping when you posted the above comment. If I had been awake, I would have edited out the URL to keep things under wraps for now. Between the comment and Tom’s Ninja Hacks Prosper post, I don’t see a point in trying to keep things quiet-ish now.
I’ll pop in there in a bit to clear up any questions.
Were you going to publish the nitty-gritty details or have you had about enough of it?
I’ve just been taking a break of sorts from the net to get some off-line things in order. This post will be the first thing I update once I get back into the swing of things.
Still around? I noticed your blog has not been updated in some time.
I’m still around. Just been tied up with offline stuff.
Wow, it was nice of you to warn them about this vulnerability!
Did you get some kind of “Thank You” payment for it? Maybe like a freebie of some sort??
Just wondering…
Re: Bryan
Nopers.