July 21, 2008 at 14:58Password storage and distribution service for everyone
Recently I found an interesting service - it allowed you to leave your passwords on it from different sites on it and, if desired, post it on all these sites at once from one interface, if desired.
I don’t use this myself and I don’t understand why such sites are needed, but I wondered how much the user passwords on these sites are protected?
Climbing over the service, I found a couple of holes with XSS vulnerability. But on which site do not exist? Even the habr wasn’t still closed (although the habr does not store other people's passwords, it’s excusable to him).
Even more I was surprised when I found out that changing the user's password and any of his information on this service is possible with just his cookie. There is no such simple thing as restricting sessions over IP, not to mention the requirement to enter a password when changing critical data. And it is already completely unforgivable, even on a habr there is no such disrespect for safety.
But this is not the funniest thing. By chance, I found that if you change your email in the profile, the system joyfully sends an unencrypted user password to the new email . This is no way. Not only can you not store an unencrypted user password, but send it in the clear in the mail to anyone ...
All this became so interesting to me that I decided to find out what a hacker can achieve on this site?
Having written a small script and applied a bit of psychology (in order to get people to go to my profile on which this script was), I received open passwords for about 400 service users. Given that 80 and more percent of people use the same password on several sites (and sometimes by mail), and the list of sites on which the user is registered can be found directly in his profile (this is the main “feature” of that service, about in question), it turns out just a paradise for attackers.
Having written quite a bit of code on JS, you can access a person’s password, post it on his other blogs (if he configured this “feature” on the service), and if the user is successful (or reckless), he can access his accounts on other sites.
What is this wonderful service?
These are bestpersons.ru , whose programmers proudly wrote about the found XSS on Jaiku itself! UPD: they’re not proud anymore :(
Good luck to those who use services that “combine sites.”
Ps and they also provide OpenID;)
continuation of the story
I don’t use this myself and I don’t understand why such sites are needed, but I wondered how much the user passwords on these sites are protected?
Climbing over the service, I found a couple of holes with XSS vulnerability. But on which site do not exist? Even the habr wasn’t still closed (although the habr does not store other people's passwords, it’s excusable to him).
Even more I was surprised when I found out that changing the user's password and any of his information on this service is possible with just his cookie. There is no such simple thing as restricting sessions over IP, not to mention the requirement to enter a password when changing critical data. And it is already completely unforgivable, even on a habr there is no such disrespect for safety.
But this is not the funniest thing. By chance, I found that if you change your email in the profile, the system joyfully sends an unencrypted user password to the new email . This is no way. Not only can you not store an unencrypted user password, but send it in the clear in the mail to anyone ...
All this became so interesting to me that I decided to find out what a hacker can achieve on this site?
Having written a small script and applied a bit of psychology (in order to get people to go to my profile on which this script was), I received open passwords for about 400 service users. Given that 80 and more percent of people use the same password on several sites (and sometimes by mail), and the list of sites on which the user is registered can be found directly in his profile (this is the main “feature” of that service, about in question), it turns out just a paradise for attackers.
Having written quite a bit of code on JS, you can access a person’s password, post it on his other blogs (if he configured this “feature” on the service), and if the user is successful (or reckless), he can access his accounts on other sites.
What is this wonderful service?
These are bestpersons.ru , whose programmers proudly wrote about the found XSS on Jaiku itself! UPD: they’re not proud anymore :(
Good luck to those who use services that “combine sites.”
Ps and they also provide OpenID;)
continuation of the story