Todd Allen on Technology

Ramblings on mobile and early stage companies.

Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)

Posted by todd Thu, 25 Jan 2007 17:47:00 GMT


As I explained in the previous post, Hive7.com sounds fantastic on paper. Also, I want to point out that the problems I'm about to explain *could* be resolved, making the service far better (and not destined to be destroyed by a worm).

Normally i'd be inclined to simply email these issues to the company but since they clearly know javascript inside and out; it's hard to imagine they don't know the problem exists. Unfortunately the issue is deeply integrated into the service, and fixing it is going to break a lot of existing work.

Problem #1: Tricking users into spamming their entire contact list.
Hive7 has a neat feature which allows you to create a new user using you Gmail/AOL IM/etc... accounts. It makes perfect sense and if you are trying to build a social platform, making it simple to invite your friends is clearly important. Hive7 has taken simple a bit too far though.

When you create your account, the next screen that pops up is a list of your contacts from Gmail. The heading seems simple enough: "Search for friends: See which of your friends are already on Hive7 and invite new ones."

I clicked this button, presuming Hive7 would search their userbase and tell me who had already signed up. Instead it sent an email to every contact in my email account.

Thanks guys.... you just invited several of my business contacts, not to mention ex-girlfriends, to a chat room with action figure avatars. It looks like i'm playing with dolls.

Honestly that got me angry enough that I'd never use the service again as a user. Still curious about the technology, I stuck around to create a few objects in my "home". What I saw next was stunning.

Problem #2: Holy hell you can upload unscrubbed javascript!

Now, I don't code professionally anymore. If you asked my friends they would argue that I never wrote code "professionally". I'm an admitted hack, but even *I* know better than to let users write code that gets executed unchecked. Also, I'm pretty good at breaking things, so this shouldnt take long.

A bit of background: Cross site scripting attacks are a huge issue in the "Web 2.0" world of AJAX andheavily interactive websites. The problem is also well documented. Generally what happens is a site accidently forgets to scrub some input field and allows the execution of javascript that a sneaky user uploaded. It's a bug.

This bug is one of the CORE FEATURES of Hive7. It's not an accident. They ASK YOU to upload your own javascript.

Within 45 minutes my friend and I had created an object that logged the Hive7 UserId, SessionID, and ChatID cookies of any user who entered the room.

That's all it took. About 3 lines of code and it was possible to hijack the sessio n of any user who entered the room. You could become that user without ever logging in, granting you access to upload/modify objects as that user. More troubling, since it had previously spammed all my contacts, this hijacked account could be used to read my contact list.

With these pieces creating a Hive7 worm would be trivial:
1) Hijack a session.
2) As the user you hijacked, upload the worm script.
3) Hijack sessions of any users who enter the captured room.
4) Repeat.

Cmon guys. Seriously.

Tags , ,  | 39 comments

Comments

  1. we live together said 104 days later:
    Predicted values in template editing can be done through any PHP script?
  2. big tits said 105 days later:
    Question about logs - are they saved somewhere on the server?
  3. jenna jameson said 105 days later:
    Hello there, so nobody can answer my question?
  4. bang bus said 105 days later:
    Great thread with input from some of the heaviest memcached users out there
  5. Raven Riley said 106 days later:
    Logs are usually saved in the folder admin specify for, so ask him.
  6. we live together said 106 days later:
    How much time does it take to update this kind of blog?
  7. bang bros said 106 days later:
    Cool stuff. Very inspirational, indeed. My preferred follow-up would be: Could you give us a couple of examples of things you’ve changed and how you went about it.
  8. Nice Ass said 106 days later:
    How to arrange multilanguage visible pages in reading articles?
  9. tera patrick said 106 days later:
    Hello, newbie here, have a question - can you advice me freehosts where i can set up free blog?
  10. teen models said 106 days later:
    how to save actions in photoshop? i really don't know how - help me please.
  11. Big Naturals said 107 days later:
    How is it possible to switch off magic_quotes_gpc? i have some error in linking on my blog
  12. round and brown said 107 days later:
    Yes, you better contact admin if you don't know how, or in httacces file.
  13. my first sex teacher said 107 days later:
    First one in the university, first one in my life!
  14. 8th street latinas said 107 days later:
    If there is no access to admin - you can leave only that value "php_flag register_globals" - it should help
  15. Jenna Jameson said 108 days later:
    Which syntax does blogs use in message encrypting?
  16. briana banks said 108 days later:
    Please explain me how to exclude double posting?
  17. lesbian sex said 108 days later:
    Echo variables used in wp (wpress) can be cancelled by editing in template section
  18. huge boobs said 108 days later:
    Did you ever tested you blog in safari? it's a mac browser
  19. my first sex teacher said 108 days later:
    I apologise for nut understanding, but how to transfer blog files from 1 domain to another?
  20. amy reid said 109 days later:
    Hello everyone, how are you? does anyone writes on php? need to complete my homework.
  21. aria giovanni said 109 days later:
    Hello there from Aria. Please explain me how does ajax updates on the server without refreshing page?
  22. big naturals said 110 days later:
    where do you register domain and host it?
  23. 8th street latinas said 110 days later:
    Using self-writed macroses can effect your blog view! be careful!
  24. Jenna Haze said 111 days later:
    it's so hard nowadays to find some original admin tools for blogs that are free to use, can anyone advice any to form multi language posts?
  25. teen models said 111 days later:
    is there any mass edit plugs section? want to change my blog script - it's wp now.
  26. bang bus said 112 days later:
    making it in ruby or in rails will not give you any opportunity!
  27. Nikki Nova said 113 days later:
    Have you already tried windows vista? how is it?
  28. raven riley said 115 days later:
    For normal matrix degenerate own values is the freedom to define the eigenvector corresponding quaternion own values related to the replacement of any linear combination!
  29. amy reid said 116 days later:
    I am afraid it is impossible to rewrtite code on PHP in this way :(
  30. milf hunter said 116 days later:
    I am curious how do you manage all posts? is there a html editor fur ruby or rails?
  31. round and brown said 117 days later:
    Advice me please mass podcast site for free usage
  32. tera patrick said 117 days later:
    Common mistake is not checking just created sites in all possible browsers, in order to see everything is correct!
  33. sky lopez said 118 days later:
    Programming is so exciting, you should definetely try it!
  34. crissy moran said 118 days later:
    i want to ask if it is possible to create different mysql base and keep there old not needed messages?
  35. ass parade said 119 days later:
    Recommend me please some validator, so that i could optimize my html!
  36. 8th street latinas said 119 days later:
    Try validator.w3.org should help
  37. ava devine said 122 days later:
    I still can't find the way to edit templates :-(
  38. huge boobs said 130 days later:
    Is it possible to make more useful articles please?
  39. E臣工作室 said 138 days later:
    博客营销 电子商务动态

RSS feed for this post

Comments are disabled