Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)
Posted by todd Thu, 25 Jan 2007 17:47:00 GMT
As I explained in the previous post, Hive7.com sounds fantastic on paper. Also, I want to point out that the problems I'm about to explain *could* be resolved, making the service far better (and not destined to be destroyed by a worm).
Normally i'd be inclined to simply email these issues to the company but since they clearly know javascript inside and out; it's hard to imagine they don't know the problem exists. Unfortunately the issue is deeply integrated into the service, and fixing it is going to break a lot of existing work.
Problem #1: Tricking users into spamming their entire contact list.
Hive7 has a neat feature which allows you to create a new user using you Gmail/AOL IM/etc... accounts. It makes perfect sense and if you are trying to build a social platform, making it simple to invite your friends is clearly important. Hive7 has taken simple a bit too far though.
When you create your account, the next screen that pops up is a list of your contacts from Gmail. The heading seems simple enough: "Search for friends: See which of your friends are already on Hive7 and invite new ones."
I clicked this button, presuming Hive7 would search their userbase and tell me who had already signed up. Instead it sent an email to every contact in my email account.
Thanks guys.... you just invited several of my business contacts, not to mention ex-girlfriends, to a chat room with action figure avatars. It looks like i'm playing with dolls.
Honestly that got me angry enough that I'd never use the service again as a user. Still curious about the technology, I stuck around to create a few objects in my "home". What I saw next was stunning.
Problem #2: Holy hell you can upload unscrubbed javascript!
Now, I don't code professionally anymore. If you asked my friends they would argue that I never wrote code "professionally". I'm an admitted hack, but even *I* know better than to let users write code that gets executed unchecked. Also, I'm pretty good at breaking things, so this shouldnt take long.
A bit of background: Cross site scripting attacks are a huge issue in the "Web 2.0" world of AJAX andheavily interactive websites. The problem is also well documented. Generally what happens is a site accidently forgets to scrub some input field and allows the execution of javascript that a sneaky user uploaded. It's a bug.
This bug is one of the CORE FEATURES of Hive7. It's not an accident. They ASK YOU to upload your own javascript.
Within 45 minutes my friend and I had created an object that logged the Hive7 UserId, SessionID, and ChatID cookies of any user who entered the room.
That's all it took. About 3 lines of code and it was possible to hijack the sessio n of any user who entered the room. You could become that user without ever logging in, granting you access to upload/modify objects as that user. More troubling, since it had previously spammed all my contacts, this hijacked account could be used to read my contact list.
With these pieces creating a Hive7 worm would be trivial:
1) Hijack a session.
2) As the user you hijacked, upload the worm script.
3) Hijack sessions of any users who enter the captured room.
4) Repeat.
Cmon guys. Seriously.
