The Blog That Is No More
This Blog has moved to
Friday, October 13, 2006
  Hole in Hi5 leaves accounts open to false logins

So I'm going the referrer logs at the main website, and i accidentally clicked on a referrer URL from someone who had apparently put a photo from our site with a backlink to us into their profile - this Hi5 user must have clicked on this link while administering his Hi5 account. By clicking the link in my referrer log I was instantly viewing his account, under his login, with full access to his entire Hi5 profile - apparently the session ID (or whatever is necessary for me to to appear to be HIM to the Hi5 servers) was passed in the referrer string - giving me full access when I clicked it. I'm no security expert, or even a web-expert for that matter, so I'm not going to pretend that I know how/why it allowed me full access to his profile, but it would appear to be a security weakness on Hi5's part..

The format of the referral string is as follows (I'm removing the real userID and session info for little PoonJab's protection)

I'm going to guess that this session will probably expire soon, but I'll keep trying it to see how long it lasts..

Since the chances of having a hi5 member click on a backlink to your website while logged into their account are slim, this is probably not a very 'hackable' vulnerability, but something I would guess that the Hi5 security man might want to take a look at.. I'm sure they don't want to end up looking like Myspace with their "we have no security" security..

I will notify Hi5 about this problem - mostly because i'm curious to see if they will respond or fix it.. It seems that Myspace ignored the notices i sent THEM, until the story about the Myspace secruty hole hit - THEN they got around to fixing thier little issues pretty quick! Mr Hi5, if you're reading this in response to the email I sent you: if you reply to my email I will post a followup telling the world how quickly you reacted, and how much better you are than the Myspace security guys!

And before you post comments asking: NO, I did NOT mess with poor little PoonJab's account.. He only has 7 friends, so I felt kinda sorry for him. He does not need me to help make his life any more miserable that it already appears to be..


Update: Saturday morning, after some sleep;
I was looking at this more and discovered that it is a bit more serious that I first thought.
It appears that PoonJab clicked on a link in someone ELSE's (Jorge's) Hi5 profile that went to our site - It is very common for someone to click on a backlink while logged into their Hi5 account! So the referrer link in my log takes me to Jorge's profile, but logs me into Hi5 as PoonJab. It's been over 8 hours and it still works, meaning the sessionID (or whatever) still has not expired. Mr. Hi5 definitely needs to have a look at this..

Update: Saturday morning, after some coffee;
I've sifted thru my referrer logs, and it looks like the majority of refferers have the 'regular' hi5 url:

I'm not sure why PoonJab's referrer URL was different. I'll be keeping a close eye on my logs. Maybe I'll have to sign up for a Hi5 account and test it out a little..

Update: Saturday afternoon, after 2 cokes, a PB&J, and a nap;
I spent over an hour seeing if I could get the URL with the sessionID info to display while logged in with Poonjab's Hi5 account info. Three times, the longer SessionID URL did display, seemingly randomly - But no matter what I did I was not able to make it appear. So at this point it looks like if the SessionID URL happens to (randomly) display, and the user happens to click a link to another website while that URL is being displayed, all the information necessary to log in as that user will be sent as the referrer - making it possible for whoever has access to that website's logs take over that user's Hi5 account.

Labels: ,

Comments: Post a Comment

Subscribe to Post Comments [Atom]

<< Home