Remember when HotOrNot.com left their site wide open to attacks and I schooled them on it? I just came across a site with similar security issues. I’m not going to post the site in question just yet though. It’s a huge financial site that could really be hurt if they were attacked so I’m just giving them the heads up for now.
Message I sent them:
Your member profile and listing pages are likely open to cross site scripting (XSS) attacks and other hacks at the moment. You can take a look at my profile and current listing to see that I did some light CSS tweaking to customize those pages. I didn’t test any potentially malicious stuff since this is a financial site. I’ll be blogging about this on GhettoWebmaster.com fairly soon. I just wanted to give you guys a heads up so you can get this place secured up.
[Profile Page URL Removed]
[Listing Page URL Removed]
I found similar security holes on HotOrNot.com a while back. Info about that can be found via the below link:
http://www.ghettowebmaster.com/code/hot-or-not/
^^^ Those findings ended up getting plugged by Mashable.com here:
http://mashable.com/2007/05/02/hot-or-not-2/
I love your site / the concept of the whole thing. I’d hate to see you guys suffer through any malicious attacks.
Best regards,
Loren J. Williams (LoLo)
It will be interesting to see how this plays out. Stay tuned ;-)
Update (3/8/08):
Well, the cat is out of the bag. The site in question is Prosper.com….
That second link has an official reply from Prosper about the issue…
We were contacted by this blogger about this vulnerability in Prosper’s site on February 15, 2008. Since we were contacted, we have made the code change that will eliminate this vulnerability; although it has not yet been rolled out (a release is expected this weekend). We appreciate the blogger’s help in finding these vulnerabilities.
XSS attacks can introduce significant security issues. We are investigating right now whether this kind of attack can actually do anything malicious on the Prosper site (many security mechanisms are already in place). Nonetheless, there are no known cases of hackers exploiting these vulnerabilities to date. As I mentioned, we are planning to release a fix shortly.
I’ll post all the details after I get word that the “expected this weekend” patching is done.
In the meantime, you can check-out my borrower listing over there:
Ninjas Need Funding for Anti-Pirate Propaganda Campaign
^^^ Fo’ realz :P
I’m insanely ill at the moment so excuse any typos and whatnot. Here’s the skinny…
1. I booked a round-trip flight with US Airways to spend my birthday with the girlfriend.
2. On Saturday morning (Feb 2) I woke up feeling like absolute shit. Body aches, chills, and a fever which broke 104 at one point. I was supposed to be leaving the next day so…
3. I called US Airways and rescheduled my flight home for Wednesday (today). There was a $20-ish price difference for the new flight. And, they were waiving a $100 fee normally associated with changing your flight.
4. My girl brought me to the emergency room where they pooh poohed my I have Pneumonia theory. They said it’s a “viral illness”. So, it’s a common cold on steroids kinda thing and is contagious.
5. Wednesday is here and I’m still in bed. My girlfriend is sick now too. I called US Airways to see about getting the flight rescheduled again. I was told that the $100 fee could not be waived a second time. I asked if they’d rather knowingly have someone with a contagious illness on two of their flights today. That question was met with silence. So, I asked if a manager could override the charge. After being placed on hold I was told once again that they wouldn’t override it… “Well, I’ll see you guys later today.”
If they were dealing with flights that were near capacity I would be more sympathetic. That’s not the case though…
So, what should a ninja do???
Update (5pm):
In spite of all the votes saying I should catch that flight and cough on people, I’m simply going to book with a different airline once I’m feeling better.
Just noticed the below internal message in my ePassporte account. Anyone have the scoop on this? It smells like BS to me. I imagine it was a processing fee issue and ePassporte felt MasterCard was getting more than their fair share. If this is a smear campaign based on something like that, ePassporte just screwed up big time. I smell a lawsuit brewing…
————-
From: Internal Notification
To: [Removed my ePassporte account name]
Received: Jan 10, 2008 2:41 PM PST
Subject: Important Notice about MasterCard Credit/Debit Load Cards
Dear Account Holder,
ePassporte currently does not accept MasterCard Credit/Debit Cards for loading funds. ePassporte does not believe MasterCard’s security procedures meet the standards required by ePassporte to ensure the security of our Account Holders.
Alternatively, you may use a Visa Credit/Debit card to load funds to your ePassporte Account. To add a Visa Card, please log into your ePassporte Account, click on “Load Money”, “Credit Card” and the “Add a New Credit Card” link.
You may also use your US checking account to transfer funds to your ePassporte Account. To add a US Bank Account, please click on “Load Money”, “US Bank Account” and enter your bank account details.
We apologize for any inconvenience this may have caused you. Please do not hesitate to contact us for further assistance.
Thank you for choosing ePassporte.
Best Regards,
ePassporte Account Holder Services
…we need your help in filling in the gaps. If you come across a site that is hosting malware, we now have an easy way for you to let us know about it. If you come across a site that is hosting malware, please fill out this short form. Help us keep the internet safe, and report sites that distribute malware. – Google’s Security Blog
If you come across a site that’s hosting some evil evil bad bad stuff: you should report it. Doing so will be good for the health of the internet as a whole and might save you from having to pass by your Uncle Bud’s house to remove some garbage from his PC so he can get back on “The eBay”. The only problem is that people (you, me, Michael Jackson to some degree) quickly become complacent with reporting such stuff if it’s not super quick and easy to do. So… I tossed together a button for Google’s toolbar that makes reporting malware hosting urls easier than your little sister.
How you would normally go about reporting urls:
1. Copy the malware hosting url. That requires a click, drag, click, click.
2. Access your bookmarks and visit the page where you report these things. That requires a click, seek, click.
3. Paste the url into their form. That requires two clicks.
4. Enter the captcha. That requires being human ;-)
5. Click the submit button.
How you will report urls with the nifty little button:
1. While on the malware hosting url, you click the custom Google toolbar button.
2. Enter the captcha.
3. Click the submit button.
That breaks down an eight click, one seek, one drag, and captcha entering process into two clicks and the captcha. And, I used a skull icon for the button so it has a decent presence on your toolbar. The mere presence of that should get you into the habit of reporting stuff as you come across it. For all the security nuts out there, I added the feed from StopBadware.org’s blog. The skull’s eyes will turn red to alert you to any new posts they toss up.
If you already have Google’s toolbar it’s a ‘one click to install’ kinda thing. If not, you can click the same install link to get their toolbar and the button will already be there when the install is done.
To install the “Report Malware Hosting URL” button, Click Here.
Gather around kids, this is gonna be a fun one. I might even get sued, finally. Yay!!1
Recently, on some random news station, I heard about Walmart’s new “Money Card” which is nothing more than a prepaid Visa card. Just like any other such card, it has a website where you can check your balance, add funds to your account, etc. Alternatively, you can have your account information stolen, be exposed to hardcore XXX porn, or line the pockets of a bottom-feeding douche bag while trying to reach the site. Why? Because Walmart, just like most companies, is nothing short of retarded when it comes to internet security and protecting their brand in the online world.
But, but, but… Their site says that it’s secure. It even has a nifty little seal on it from Thawte verifying that it’s protected by RC4 128-bit encryption.
Yeah, so what? I said that all those evil evil bad bad things could happen to a person while trying to reach the site. I never said that they’d actually make it there. Your good ol’ Uncle Buck or Aunt Charlene who’s not too savvy on that there interweb, but falls perfectly into the demographic of folks who would have a Wally World prepaid money card, is likely to mistype the web address. That’s why any security-minded company who wants to protect their customers and brand’s image would / should at the very least register all of the most common typo domains when setting up shop on a new domain – especially if it’s a financial kinda deal. In Walmart’s infinite wisdom, they did no such thing.
After hearing about this new Walmart card and the accompanying website, I checked to see if they had registered and were forwarding over traffic from one of the most common typos: the full web address prefixed with a “www”. Typing out “www” and then forgetting or simply missing the dot afterwards is commonplace among eTards and fast typers. Sure enough, wwwwalmartmoneycard.com was wide open. So, I registered it. Just for good measure, I went ahead and registered almartmoneycard.com today too. Missing the first letter of a domain is also pretty common. Luckily for Wally World, I snagged those domains with the sole intent of using them as an example for this blog entry. This could have played out much differently…
Read more…