hi5 Antiphishing Departement (Update)
March 24th, 2007This evening I was searching for another “Social Community Platform” to abuse err… play with, and I found hi5, Alexa’s current #17 in traffic raking.
After some time I had set up a fresh user account and a couple of minutes later I found the first XSS vulnerability, which allowed me to execute my own Javascript on the User Profile.
Combined with hi5’s custom CSS and custom Subdomain features I served a hi5 Antiphishing Departement to the hi5 community out there which I am very proud of :-).
Together with our Myspace Antiphishing Departement (blogged here), the hi5 Antiphishing Departement proves, that Homepages that allow content and design entirely set by the users can easily abused for Phishing and other bad purposes.
UPDATE: They finally finished this vulnerability, so my hi5 Antiphishing Departement will be offline the next few weeks, but nevermind it was a great example for persistent XSS on a trusted Domain plus a good-looking URI: antiphishing.hi5.com. !
Did you Like this Post? Try these ones! :)
How to rescue your Xorg-Server in a "worst case" scenario? on December 20th, 2007
PHP: Nur Zahlen als Parameterwert on February 17th, 2007
Re: *****SPAM***** Link Exchange [Advertisement] - A SEO is Spamming me, fuck off! on August 22nd, 2007
Linux: How to get a list of the network interfaces? on September 25th, 2007
How can I count the Lines of a Text File? on August 10th, 2007
March 24th, 2007 at 11:22
That’s a good find!
It would be nice if you contact me, for a little talk.
March 25th, 2007 at 05:22
thanks & done.