So I'm going the referrer logs at the main website, and i accidentally clicked on a referrer URL from someone who had apparently put a photo from our site with a backlink to us into their profile - this Hi5 user must have clicked on this link while administering his Hi5 account. By clicking the link in my referrer log I was instantly viewing his account, under his login, with full access to his entire Hi5 profile - apparently the session ID (or whatever is necessary for me to to appear to be HIM to the Hi5 servers) was passed in the referrer string - giving me full access when I clicked it. I'm no security expert, or even a web-expert for that matter, so I'm not going to pretend that I know how/why it allowed me full access to his profile, but it would appear to be a security weakness on Hi5's part..
The format of the referral string is as follows (I'm removing the real userID and session info for little PoonJab's protection)
I'm going to guess that this session will probably expire soon, but I'll keep trying it to see how long it lasts..
Since the chances of having a hi5 member click on a backlink to your website while logged into their account are slim, this is probably not a very 'hackable' vulnerability, but something I would guess that the Hi5 security man might want to take a look at.. I'm sure they don't want to end up looking like Myspace with their "we have no security" security..
I will notify Hi5 about this problem - mostly because i'm curious to see if they will respond or fix it.. It seems that Myspace ignored the notices i sent THEM, until the story about the Myspace secruty hole hit Digg.com - THEN they got around to fixing thier little issues pretty quick! Mr Hi5, if you're reading this in response to the email I sent you: if you reply to my email I will post a followup telling the world how quickly you reacted, and how much better you are than the Myspace security guys!
And before you post comments asking: NO, I did NOT mess with poor little PoonJab's account.. He only has 7 friends, so I felt kinda sorry for him. He does not need me to help make his life any more miserable that it already appears to be..