So I'm going the referrer logs at the main website, and i accidentally clicked on a referrer URL from someone who had apparently put a photo from our site with a backlink to us into their profile - this Hi5 user must have clicked on this link while administering his Hi5 account. By clicking the link in my referrer log I was instantly viewing his account, under his login, with full access to his entire Hi5 profile - apparently the session ID (or whatever is necessary for me to to appear to be HIM to the Hi5 servers) was passed in the referrer string - giving me full access when I clicked it. I'm no security expert, or even a web-expert for that matter, so I'm not going to pretend that I know how/why it allowed me full access to his profile, but it would appear to be a security weakness on Hi5's part..
The format of the referral string is as follows (I'm removing the real userID and session info for little PoonJab's protection)
http://www.hi5.com/friend/displayProfile.do?userid=
xxxxxxxx&loginid=xxxHXPXKHPGJnnnnnnn&smid=20061013_2660_
5olxxxxYCaxnR4rNT9EK112520nnnn
I'm going to guess that this session will probably expire soon, but I'll keep trying it to see how long it lasts..
Since the chances of having a hi5 member click on a backlink to your website while logged into their account are slim, this is probably not a very 'hackable' vulnerability, but something I would guess that the Hi5 security man might want to take a look at.. I'm sure they don't want to end up looking like Myspace with their "we have no security" security..
I will notify Hi5 about this problem - mostly because i'm curious to see if they will respond or fix it.. It seems that Myspace ignored the notices i sent THEM, until the story about the Myspace secruty hole hit Digg.com - THEN they got around to fixing thier little issues pretty quick! Mr Hi5, if you're reading this in response to the email I sent you: if you reply to my email I will post a followup telling the world how quickly you reacted, and how much better you are than the Myspace security guys!
And before you post comments asking: NO, I did NOT mess with poor little PoonJab's account.. He only has 7 friends, so I felt kinda sorry for him. He does not need me to help make his life any more miserable that it already appears to be..