So I'm going the referrer logs at the main website, and i accidentally clicked on a referrer URL from someone who had apparently put a photo from our site with a backlink to us into their profile - this Hi5 user must have clicked on this link while administering his Hi5 account. By clicking the link in my referrer log I was instantly viewing his account, under his login, with full access to his entire Hi5 profile - apparently the session ID (or whatever is necessary for me to to appear to be HIM to the Hi5 servers) was passed in the referrer string - giving me full access when I clicked it. I'm no security expert, or even a web-expert for that matter, so I'm not going to pretend that I know how/why it allowed me full access to his profile, but it would appear to be a security weakness on Hi5's part..
The format of the referral string is as follows (I'm removing the real userID and session info for little PoonJab's protection)
http://www.hi5.com/friend/displayProfile.do?userid=
xxxxxxxx&loginid=xxxHXPXKHPGJnnnnnnn&smid=20061013_2660_
5olxxxxYCaxnR4rNT9EK112520nnnn
I'm going to guess that this session will probably expire soon, but I'll keep trying it to see how long it lasts..
Since the chances of having a hi5 member click on a backlink to your website while logged into their account are slim, this is probably not a very 'hackable' vulnerability, but something I would guess that the Hi5 security man might want to take a look at.. I'm sure they don't want to end up looking like Myspace with their "we have no security" security..
I will notify Hi5 about this problem - mostly because i'm curious to see if they will respond or fix it.. It seems that Myspace ignored the notices i sent THEM, until the story about the Myspace secruty hole hit Digg.com - THEN they got around to fixing thier little issues pretty quick! Mr Hi5, if you're reading this in response to the email I sent you: if you reply to my email I will post a followup telling the world how quickly you reacted, and how much better you are than the Myspace security guys!
And before you post comments asking: NO, I did NOT mess with poor little PoonJab's account.. He only has 7 friends, so I felt kinda sorry for him. He does not need me to help make his life any more miserable that it already appears to be..
I was looking at this more and discovered that it is a bit more serious that I first thought.
It appears that PoonJab clicked on a link in someone ELSE's (Jorge's) Hi5 profile that went to our site - It is very common for someone to click on a backlink while logged into their Hi5 account! So the referrer link in my log takes me to Jorge's profile, but logs me into Hi5 as PoonJab. It's been over 8 hours and it still works, meaning the sessionID (or whatever) still has not expired. Mr. Hi5 definitely needs to have a look at this..
Update: Saturday morning, after some coffee;
I've sifted thru my referrer logs, and it looks like the majority of refferers have the 'regular' hi5 url:
http://www.hi5.com/friend/profile/displayProfile.do?userid=nnnnnnn
I'm not sure why PoonJab's referrer URL was different. I'll be keeping a close eye on my logs. Maybe I'll have to sign up for a Hi5 account and test it out a little..
Update: Saturday afternoon, after 2 cokes, a PB&J, and a nap;
I spent over an hour seeing if I could get the URL with the sessionID info to display while logged in with Poonjab's Hi5 account info. Three times, the longer SessionID URL did display, seemingly randomly - But no matter what I did I was not able to make it appear. So at this point it looks like if the SessionID URL happens to (randomly) display, and the user happens to click a link to another website while that URL is being displayed, all the information necessary to log in as that user will be sent as the referrer - making it possible for whoever has access to that website's logs take over that user's Hi5 account. ¶ 11:10 PM
