Hi5 security issues.
One of my servers had a lot of traffic due to image hotlinkers (they are now being served Goatse) and while examining the logs i noticed an unusual referer from hi5. It had get variables like loginToken , loginid and reviewCommentLink. I thought that was a little strange and thought, could it be?
One click later i was logged in as some Mexican guy.
I never liked Hi5, but i can’t deny its one of the big social networking sites. Using information in links that can log someone in without any validation (or, at least, expiring them upon first use), is a serious mistake. Its not a mistake i would expect from the likes of Hi5.
I thought about reporting it, but after a google search i came upon this blog post which describes the same issue and that guy has already reported it. So, there’s no point of reporting it again. They know and don’t care. That post is from 2006.
This is really sad. This seems like a very exploitable hole. Host an image in your server that enough people will click ( keira knightley is a great choice :p ) and just wait until you get this kind of link in your referer log. It doesn’t get any simpler. (the image on my server was probably used as a profile image for someone else)
Comments
Lots students pass the duty to qualified writers because they don’t have the skill to write a respectable paper about this post in order that the argument why people need to use <a href=”http://www.plagiarismsearch.com”>plagiarism checking</a>, but such people like author don’t do that. Thanks for the article
People do know that it’s more easy to buy the thesis research and dissertation writing service about this post, than to write by personal efforts.
It is an exploitable hole. What I like doing to hotlinkers is changing the image but keeping the file name the same. Change it to something horrible like the blue waffle picture or something. It seems to have an effect on the whole in general as less people hotlink overtime knowing this could happen. ;)
cool
Comment form for «Hi5 security issues.»