At the Mozilla Pyjama party during Blackhat, Me and Jeremiah met up with Bubba Gump and he shared with us an interesting story on how he was able to do something similar like Samy worm on another social networking site. His story just goes to show that there are so many other websites which are still getting hacked the same way but either have no clue or are in a denial mode. We asked him to share his story with others in the community too and if he can write it for us then I will post it on my blog. The site developers were already notified of the vulnerability and they have fixed it so I am posting this story on my blog. Here it goes
Awhile back I read a Newsweek article about a new social networking website called GoLoco.org. This site is designed for making car-pooling arrangements and is run by an environmentalist CEO named Robin Chase. The idea is to help the environment and save money on gas at the same time – an interesting concept.
After signing up for a free account on the GoLoco site, I couldn't help but play around with it a bit. I started by going to the Modify Profile page and injecting <> tags into various items in my profile to see what would happen. For the most part, any tag I injected would be properly HTML encoded before being echoed back onto the page. However, they forgot to lock down two of the fields in my profile. Upon further experimentation, I found that each field had a max length of 255 characters and could hold a persistent Cross-Site Script. Nice!
Although some very interesting feats could be accomplished with this vulnerability, I sat on this info for awhile – the Goloco site was new, with only about 1000 users at that time. There wasn't much glory to be had in creating another Samy worm on this site.
But two weeks later I received an email from Robin Chase. She laid down a challenge – the first Goloco user to exceed her in number of friends would win a free t-shirt. It was almost like she was asking to be XSSed!
I started by inserting some AJAX code into my profile that would make the person viewing it automatically POST a request to become my friend. In order to get more people to view my profile, I posted a trip from Boston to California. Most of the site's users are from Boston, so they would see this trip listed on their homepage upon logging in. Clicking on the Trip Details link would bring up my profile, which would cause the user to unknowingly make the friendship request.
I expected to start receiving lots of friendship request emails, but was disappointed at first. An average of just one or two requests came in per day, which reflected the low amount of traffic on this site and the fact that a user would have to click on my link out of a list of about 20 trips in order to be hit with the XSS. Clearly I needed to re-think my approach.
A little more exploration of the site led me to the breakthrough that I was hoping for. It turns out that the trip location names were also Cross-Site Scriptable, and the destination location name is what showed up on the homepage after a user logs in. This means that users no longer had to click on my link to get hit with the XSS – all they needed to do was log into the site and they'd immediately request to become my friend. I did not attempt to make the XSS payload wormable because I did not want to do anything that would cause damage to other peoples' profiles or trips.
After this new, improved XSS was put in place, the friendship requests started pouring in at a rate of about 15 per day, which for this particular site was impressive. A nice, unexpected side-effect is that I would receive an email every time a user logged into the site. I quickly got to learn the usage habits of various people – for example, one of the employees of the site had a strange tendency to log in at 4:00 AM. I also experienced another unintended side-effect. The site had no controls in place to prevent duplicate friendship requests from the same person, so I began to get spammed with duplicate requests as the same user hit the homepage multiple times. This became annoying after awhile, so I modified my XSS to drop a cookie on the user's machine to track whether or not they had submitted a friendship request already – ah, much better!
While waiting for the friendship requests to come in, I explored the site a bit further, this time looking for interesting HTML comments. I discovered that the site's developers were displaying private communications between members in HTML comments. I was able to obtain lots of interesting info this way, including the names of all of the site's developers and CEO Robin Chase's cell phone number. This would come in handy later.
After three days, I had built up enough friendship requests to exceed Robin. And in fact, the last person to get hit with my XSS was none other than Robin Chase herself, who logged in bright and early at 6:45 AM. I removed the XSS, accepted all of the friendship requests that had queued up, and counted my friends – sure enough, I was ready to claim my prize.
Later that morning I called Robin and claimed my t-shirt. Interestingly, she didn't ask me how I obtained her cell phone number or how I had acquired so many friends so quickly. But she congratulated me and told me she'd send me the t-shirt.
Shortly after that, I got in touch with the people in charge of development for the site and told them about the security issues, which they quickly addressed. Today, Goloco is integrated with Facebook, so I suspect that it is a bit harder to hack than it used to be. And Robin, if you're reading this I just want to remind you that I'm still waiting for my t-shirt!
-Bubba