Todd Allen on Technology: Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)

Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)

todd — Thu, 25 Jan 2007 12:47:00 -0500

As I explained in the previous post, Hive7.com sounds fantastic on paper. Also, I want to point out that the problems I'm about to explain *could* be resolved, making the service far better (and not destined to be destroyed by a worm).

Normally i'd be inclined to simply email these issues to the company but since they clearly know javascript inside and out; it's hard to imagine they don't know the problem exists. Unfortunately the issue is deeply integrated into the service, and fixing it is going to break a lot of existing work.

Problem #1: Tricking users into spamming their entire contact list.
Hive7 has a neat feature which allows you to create a new user using you Gmail/AOL IM/etc... accounts. It makes perfect sense and if you are trying to build a social platform, making it simple to invite your friends is clearly important. Hive7 has taken simple a bit too far though.

When you create your account, the next screen that pops up is a list of your contacts from Gmail. The heading seems simple enough: "Search for friends: See which of your friends are already on Hive7 and invite new ones."

I clicked this button, presuming Hive7 would search their userbase and tell me who had already signed up. Instead it sent an email to every contact in my email account.

Thanks guys.... you just invited several of my business contacts, not to mention ex-girlfriends, to a chat room with action figure avatars. It looks like i'm playing with dolls.

Honestly that got me angry enough that I'd never use the service again as a user. Still curious about the technology, I stuck around to create a few objects in my "home". What I saw next was stunning.

Problem #2: Holy hell you can upload unscrubbed javascript!

Now, I don't code professionally anymore. If you asked my friends they would argue that I never wrote code "professionally". I'm an admitted hack, but even *I* know better than to let users write code that gets executed unchecked. Also, I'm pretty good at breaking things, so this shouldnt take long.

A bit of background: Cross site scripting attacks are a huge issue in the "Web 2.0" world of AJAX andheavily interactive websites. The problem is also well documented. Generally what happens is a site accidently forgets to scrub some input field and allows the execution of javascript that a sneaky user uploaded. It's a bug.

This bug is one of the CORE FEATURES of Hive7. It's not an accident. They ASK YOU to upload your own javascript.

Within 45 minutes my friend and I had created an object that logged the Hive7 UserId, SessionID, and ChatID cookies of any user who entered the room.

That's all it took. About 3 lines of code and it was possible to hijack the sessio n of any user who entered the room. You could become that user without ever logging in, granting you access to upload/modify objects as that user. More troubling, since it had previously spammed all my contacts, this hijacked account could be used to read my contact list.

With these pieces creating a Hive7 worm would be trivial:
1) Hijack a session.
2) As the user you hijacked, upload the worm script.
3) Hijack sessions of any users who enter the captured room.
4) Repeat.

Cmon guys. Seriously.

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by E臣工作室

Wed, 13 Jun 2007 04:14:22 -0400

博客营销电子商务动态

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by huge boobs

Tue, 05 Jun 2007 12:17:28 -0400

Is it possible to make more useful articles please?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by ava devine

Mon, 28 May 2007 09:36:18 -0400

I still can't find the way to edit templates :-(

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by 8th street latinas

Fri, 25 May 2007 08:47:34 -0400

Try validator.w3.org should help

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by ass parade

Thu, 24 May 2007 21:31:06 -0400

Recommend me please some validator, so that i could optimize my html!

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by crissy moran

Thu, 24 May 2007 12:50:46 -0400

i want to ask if it is possible to create different mysql base and keep there old not needed messages?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by sky lopez

Wed, 23 May 2007 22:06:09 -0400

Programming is so exciting, you should definetely try it!

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by tera patrick

Wed, 23 May 2007 12:25:16 -0400

Common mistake is not checking just created sites in all possible browsers, in order to see everything is correct!

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by round and brown

Tue, 22 May 2007 23:37:53 -0400

Advice me please mass podcast site for free usage

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by milf hunter

Tue, 22 May 2007 11:55:49 -0400

I am curious how do you manage all posts? is there a html editor fur ruby or rails?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by amy reid

Mon, 21 May 2007 19:57:49 -0400

I am afraid it is impossible to rewrtite code on PHP in this way :(

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by raven riley

Mon, 21 May 2007 06:50:27 -0400

For normal matrix degenerate own values is the freedom to define the eigenvector corresponding quaternion own values related to the replacement of any linear combination!

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by Nikki Nova

Sat, 19 May 2007 07:54:49 -0400

Have you already tried windows vista? how is it?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by bang bus

Thu, 17 May 2007 13:54:10 -0400

making it in ruby or in rails will not give you any opportunity!

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by teen models

Thu, 17 May 2007 06:31:03 -0400

is there any mass edit plugs section? want to change my blog script - it's wp now.

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by Jenna Haze

Thu, 17 May 2007 01:50:36 -0400

it's so hard nowadays to find some original admin tools for blogs that are free to use, can anyone advice any to form multi language posts?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by 8th street latinas

Tue, 15 May 2007 18:35:29 -0400

Using self-writed macroses can effect your blog view! be careful!

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by big naturals

Tue, 15 May 2007 16:12:50 -0400

where do you register domain and host it?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by aria giovanni

Tue, 15 May 2007 07:35:53 -0400

Hello there from Aria. Please explain me how does ajax updates on the server without refreshing page?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by amy reid

Tue, 15 May 2007 02:29:16 -0400

Hello everyone, how are you? does anyone writes on php? need to complete my homework.

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by my first sex teacher

Mon, 14 May 2007 12:21:43 -0400

I apologise for nut understanding, but how to transfer blog files from 1 domain to another?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by huge boobs

Mon, 14 May 2007 07:52:57 -0400

Did you ever tested you blog in safari? it's a mac browser

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by lesbian sex

Mon, 14 May 2007 05:36:07 -0400

Echo variables used in wp (wpress) can be cancelled by editing in template section

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by briana banks

Sun, 13 May 2007 17:09:26 -0400

Please explain me how to exclude double posting?

"Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)" by Jenna Jameson

Sun, 13 May 2007 15:41:12 -0400

Which syntax does blogs use in message encrypting?