Fri 11 December 2009
hi5 security ellak
One of my servers had a lot of traffic due to image hotlinkers (they are now being served Goatse) and while examining the logs i noticed an unusual referer from hi5. It had get variables like
reviewCommentLink. I thought that was a little strange and thought, could it be?
One click later i was logged in as some Mexican guy.
I never liked Hi5, but i can’t deny its one of the big social networking sites. Using information in links that can log someone in without any validation (or, at least, expiring them upon first use), is a
serious mistake. Its not a mistake i would expect from the likes of Hi5.
I thought about reporting it, but after a google search i came upon
this blog post which describes the same issue and that guy has already reported it. So, there’s no point of reporting it again. They know and don’t care. That post is from 2006.
This is really sad. This seems like a very exploitable hole. Host an image in your server that enough people will click ( keira knightley is a great choice :p ) and just wait until you get this kind of link in your referer log. It doesn’t get any simpler. (the image on my server was probably used as a profile image for someone else)
Pelican. Theme blueidea, inspired by the default theme.