Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)

todd — Thu, 25 Jan 2007 12:47:00 -0500

As I explained in the previous post, Hive7.com sounds fantastic on paper. Also, I want to point out that the problems I'm about to explain *could* be resolved, making the service far better (and not destined to be destroyed by a worm).

Normally i'd be inclined to simply email these issues to the company but since they clearly know javascript inside and out; it's hard to imagine they don't know the problem exists. Unfortunately the issue is deeply integrated into the service, and fixing it is going to break a lot of existing work.

Problem #1: Tricking users into spamming their entire contact list.
Hive7 has a neat feature which allows you to create a new user using you Gmail/AOL IM/etc... accounts. It makes perfect sense and if you are trying to build a social platform, making it simple to invite your friends is clearly important. Hive7 has taken simple a bit too far though.

When you create your account, the next screen that pops up is a list of your contacts from Gmail. The heading seems simple enough: "Search for friends: See which of your friends are already on Hive7 and invite new ones."

I clicked this button, presuming Hive7 would search their userbase and tell me who had already signed up. Instead it sent an email to every contact in my email account.

Thanks guys.... you just invited several of my business contacts, not to mention ex-girlfriends, to a chat room with action figure avatars. It looks like i'm playing with dolls.

Honestly that got me angry enough that I'd never use the service again as a user. Still curious about the technology, I stuck around to create a few objects in my "home". What I saw next was stunning.

Problem #2: Holy hell you can upload unscrubbed javascript!

Now, I don't code professionally anymore. If you asked my friends they would argue that I never wrote code "professionally". I'm an admitted hack, but even *I* know better than to let users write code that gets executed unchecked. Also, I'm pretty good at breaking things, so this shouldnt take long.

A bit of background: Cross site scripting attacks are a huge issue in the "Web 2.0" world of AJAX andheavily interactive websites. The problem is also well documented. Generally what happens is a site accidently forgets to scrub some input field and allows the execution of javascript that a sneaky user uploaded. It's a bug.

This bug is one of the CORE FEATURES of Hive7. It's not an accident. They ASK YOU to upload your own javascript.

Within 45 minutes my friend and I had created an object that logged the Hive7 UserId, SessionID, and ChatID cookies of any user who entered the room.

That's all it took. About 3 lines of code and it was possible to hijack the sessio n of any user who entered the room. You could become that user without ever logging in, granting you access to upload/modify objects as that user. More troubling, since it had previously spammed all my contacts, this hijacked account could be used to read my contact list.

With these pieces creating a Hive7 worm would be trivial:
1) Hijack a session.
2) As the user you hijacked, upload the worm script.
3) Hijack sessions of any users who enter the captured room.
4) Repeat.

Cmon guys. Seriously.

Note to Hive7: When people say "Viral", they don't mean worms. (Part 1)

todd — Wed, 24 Jan 2007 12:13:00 -0500

With all the noise and press Second Life has been receiving lately, it's difficult to not think about the concept of online communities beyond MySpace.

It's my personal opinion that before Second Life, or any next-generation online community to truly take off to the extent MySpace did, they will need to break out of the desktop application and into the web/mobile world.

Casual users and youth don't spend all their time sitting in front of desktops that they can load software onto, but walk into any college computer lab and tell me how many people are sitting on MySpace/Facebook.

People want to have constant access to their friends. Mobile, and to a lesser extent PC web browsers make that possible.

Based on that I was excited to see a story about a small Palo Alto startup, Hive7.com, building a web based application similar to Second Life. I'm not a huge chat room person, but if I could embed a widget on my websites where people could see my "virtual room" I'd probably give it a shot.

Unfortunately, things went downhill immediately from the time I loaded the site. I recommend you don't create an account at all until they rework their platform.

An explanation to follow....

Todd Allen on Technology: Tag spam

Note to Hive7: When people say "Viral", they don't mean worms. (Part 2)

Note to Hive7: When people say "Viral", they don't mean worms. (Part 1)