or “A Javascript To Rule Them All“

LMAO I didn’t look at the date, excuse me but this is no April Joke

Hello visitor! I am very proud to present you the work I’ve done during the last few months: The Creation of a new XSS Worm affecting the popular Social Bookmarking and Blogging platforms del.icio.us, Digg, the “new” Netscape and our friends at Technorati.

Probably you know the phenomenon called “Digg Effect”: Tons of traffic caused by a high ranking on a Social Bookmarking Platform, and because of that a shitload of visitors bringing your servers down, the fear of all sysadmins.

With this Script I’m trying to take this to another dimension: Automatically Adding Links, Making new friends and a lot of more Stuff will be done while you’re reading this Post. No, Please don’t leave! Believe me:

I WONT HARM YOU
I WONT STEAL ANY INFORMATION
THIS IS JUST AN EXPERIMENT
TO RAISE WEB 2.0 PROGRAMMERS’ SECURITY AWARENESS!

Why is this just an experiment?
I found hundrets of vulnerabilities in well-known homepages, and this time I took the time to connect some of them in order to get the maximum of fun, plus I really improved my JavaScript skills during this task.

How can I be sure you don’t steal any information from your visitors?
You can be sure of that because I promised it to you, but it would be very easy to get your EMail addresses, your Name, your Cookies and whatever else you’ve ever saved on a homepage containing Cross-Site Scripting (XSS) Vulnerabilities (if I were one of the “Bad Guys”!).

What is your aim?
My aim is to make the Creators of popular homepages aware of their security problems and the technique of proper patching (shouts to the del.icio.us fellow who closed the half of a XSS vuln ). XSS is very dangerous for Web 2.0, and most of the companies don’t care about us whitehats notifying them about vulnerabilities. They just don’t reply, so I discovered the “art” of Full Disclosure.

What can be done using such Combined XSS & CSRF Attacks against Web 2.0 platforms?

• Account and Data theft
• Manipulation of Rankings (like I’m doing right now), followed by on site advertising -> Money
• Destroying a Company’s good reputation (That’s really not my intention, if you feel pissed, drop me a line)
• SPAM via “Tell-a-friend” features and open Mail Scripts/Relays which are existing everywhere (Digg, Delicious, Netscape, Yahoo, bla blub), if I would have used this in my sweet Script, it would be able to spread allover the Digg/Delicious/Netscape communities. You can get all the user information - powered by Javascript (I hope you get the point)
• Other freaky things the bad guys like, but I think I have noticed enough

Where the hell is the script you’re talking about all the time?
Somewhere in the homepage you are currently looking at, not that easy to find, but I think you’ll discover it anyway

And, finally:

Dear Digg / Delicious / Technorati / Netscape Staff!

I Love you. You provide great Social Community platforms which are really entertaining and helpful for us bloggers (Technorati! *hug*).
These few security issues I talked about are not that bad, and I’m sure you’ll fix them ASAP after you were notified. Probably you are going spend more time in QA, but thats nothing I need to tell you.

Best Regards,
- benjamin “beNi” flesch (mybeNi websecurity)

PS: Sorry, I did it all for the pagerank

Now, let the show begin!

Update: Here’s the Digg Link: http://digg.com/offbeat_news/Digg_Delicious_Netscape_And_Technorati_Hacked
wow I already got a couple of friends Technorati & Delicious work, too. Only Netscape sucks

This entry was posted on Saturday, March 31st, 2007 at 08:38 and is filed under Programming, XSS List, Websecurity, Full Disclosure. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.