The summer is over

• I haven’t posted anything for quite a few weeks – been on vacations Now the summer’s over and I’m getting back to work. Expect a new clip on YouTube soon, along withfew exciting posts here.

Still working on Metacafe

I’ve been working for last few days on Metacafe hack. I’m quite sure they don’t check input data from therr forms as precisely as it should be. I hope I’d be able to post new vid today, showing how to hack Metacafe.

MyBlogLog case: I don’t know how mysterious h_chk parameter is computed, but it seems h_chk remains the same for whole day and for different user accounts. That means there’s a huge security hole that allows to post data without user’s knowledge.

Last but not least: MySpace. It is known to be one of the most dangerous places you can visit. Lot of MySpace pages is used by criminals to infect user computers with e.g. Zlob or Hackstore. Why MySpace is so buggy? Because it’s so open. You can write your own page, providing content you wish. So evil person can make a MySpace page full of nasty things.

But is MySpace secure in terms of user access? I’m investing this right now…

Is MyBlogLog safe?

I’ve been looking at MyBlogLog HTML code for a few days and I have to say MyBlogLog in terms of security is far better than many other “web 2.0″ sites. Still, there are some problems worth mentioning.

For example, it’s possible to prepare evil page which sends MyBlogLog user’s invitations to selected emails without user’s knowledge. All you have to do is to make a fake form based on HTML document at http://www.mybloglog.com/buzz/invite/ and then put this document into an iframe. The method used here is exactly the same as in “YouTube profile editing bug” example.

Of course it’s not that dangerous: sending invitations doesn’t hurt anynone. This method cannot be used to send spam, because MyBlogLog servers do not accept more than 1000 pages request per hour. In my humble opinion every form inside users area, which can be remotely executed without user’s knowledge is a flaw in overall security of the website. But this is just a pretty innocent trick, not a bug.

Is it possible to remotely execute other MyBlogLog forms? The answer is not obvious. Forms in MyBlogLog user’s area are secured with mysterious h_chk parameter, which seems to be a result of md5() on some unknown string. Form values posted without this h_chk parameter will not be accepted.
Is this enough to ensure security? If you know what h_hck parameter to use, you can hack MyBlogLog. How can someone find proper h_chk value? I found that h_chk have same value for many user accounts (i.e. it doesn’t depend on users name or id). It changes every day, so it may be based on date. It doesn’t change within a few hours time.

If I am right and h_chk parameter is the same for all user accounts, MyBlogLog can be easily hacked. I’ll check this today’s evening, if time permits.

Dozens of bugs on popular websites?

It’s so obvious I’m surprised I didn’t noticed it when writing previous posts…

Let’s get back to YouTube “tabbed attack” security flaw. You don’t have to visit YouTube to be attacked from another site. It’s perfectly enough to open evil HTML document and attack will be performed. Why is it possible? Because you’re automatically logged in whenever YouTube.com is loaded. So it can be loaded into invisible iframe tag on evil website and voila! – your subscriptions on YouTube are modified.

So, automatic login based on cookie information is definetely dangerous, especially when any kind of token or session id (passed with url or with form data) is not used.

Are there any other websites, which log you in automatically? I’m really excited to find out. If I only had some time this evening… I think MetaCafe, Revver, MyBlogLog are just worth a try

A bug in YouTube fixed, but problem still exists

In my last post I’ve shown how to remotely and invisibly change someone’s YouTube profile. Apparently YouTube team spotted this post and fixed the bug – it doesn’t work anymore. However, a few other bugs exist and can be used against user logged into YouTube account. As I mentioned before, logging into YouTube is automatic (using cookies), so for most users it’s enough to visit YouTube.com and evil page at the same time (using tabbed browser).

Here’s a short example of another bug: you can be logged out of YouTube when you visit another page: look at this example at bragoszewski.com.

Or someone can edit your Subscriptions lis e.g by adding new keyword, check this example, which adds hacking word to your subscription list.

The problem with YouTube authorization I describe is not a single bug in a single form. It’s more dangerous security flaw in user authentication procedure and should be treated seriously. Guys form YouTube: when you fix this, you can buy me a drink

How to hack into YouTube

If you open YouTube and another page in one browser at the same time (e.g. on two different tabs), this other page can invisibly hack into your YouTube profile and change your personal data. Let’s see how it’s possible.

When you open YouTube, you’re automatically logged in, provided you have a YouTube account and you have cookies in your browser enabled. So you can go straight to your profile editing page. When you check the code of e.g. Personal Info page, you can see huge form tag.

Now let’s see this: I copied this form tag to an empty HTML document and with some modifications (it should point to YouTube server, so I needed to add action parameter). I added some JavaScript, so the form is automatically submited when document opens. Of course, I changed home page address (this is not visible on the video). To make this totally invisible, we need another HTML document, which contains simple iframe tag set to be invisible (using CSS) and pointed to first document (one with automatically submited form).

We can upload both HTML documents to a server (or it just fine to open second document from disc). When a victim opens both YouTube and evil HTML document at the same time, his/her account is automatically and invisibly hacked…

Why is it possible? YouTube doesn’t use any kind of token or session id tranferred along with form data. So an attacker does not need to know user’s personal nor session id data to attack. Second, and important, issue: when your’e logged into a website (even other than YouTube) there’s a lot of things that can be done from another page, provided it’s opened at the same time in tabbed browser…

You can see an example of this attack by visiting this page on my Polish blog. If you have YouTube opened on another tab in the browser and you are logged in, your personal info will change…

just a few words :)

Let’s start. I’m going to publish some examples what can you do with basic tools, some free time and big, popular websites. They aren’t that safe as we could expect.