CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 15th, 2008

XSS Worm At Justin.tv Affects 2525 Profiles

A XSS worm was crawling across Justin.tv, the popular lifecasting platform at the end of June. The group that found the XSS vulnerability abused it as a “proof of concept”, until Justin.tv fixed the flaw rending the worm’s activities obsolete. Due to insufficient input sanitization of the location field on users’ profiles, the group could add the following code:

<iframe id=’tframeid’ width=0 height=0 frameborder=0></iframe><script
src=”justinworm.js” language=”javascript”></script>”

According to the statement made by one of the group members that released the PoC, the XSS worm was released on the website for research purposes. It was successfully executed and lasted roughly around 24 hours. The XSS vulnerability was discovered and fixed during Sun, 29 Jun 2008, with 2525 profiles affected.

Justin.tv fixed it shortly after users started complaining. According to Justin.tv,on Saturday they started to receive emails from users saying that their account had been compromised. On Saturday night they found a vulnerability that allowed someone to gain access to another users account without needing their username and password. As a result of the first vulnerability, personal communications from a number of justin.tv users were posted on flickr for all to see. On Tuesday a similar vulnerability was found and it was fixed within 2 hours.

Majority of social networking sites have all been a target to vulnerabilities exploitation of all kinds. Many of the Orkut, MySpace, Facebook, GaiaOnline, Hi5 users were affected by it. There is a chance it will change in the future since browsers like Mozilla and IE8 offer tools that might protect the user (Mozilla’s Site Security Policy and IE8’s Cross Site Scripting Filter) even if the site is vulnerable.

According to XSSed, another vulnerability on Justin.tv was discovered and submitted in 04 April 2008 but still remains unfixed.

Share this item with others:

More on CyberInsecure:
  • Facebook Mobile API XSS Vulnerability Used To Launch Spam Worm
  • Twitter Worm Outbreak Over Easter, XSS Flaw Remains Unfixed
  • Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk
  • Clickjacking Worm Hits Facebook, Hundreds Of Thousands Affected
  • Bogus LinkedIn Profiles Lead To Malware

    • Posted in Privacy, Social Networks, Vulnerabilities, XSS | Print This Post Print This Post

    This entry was posted on Tuesday, July 15th, 2008 at 5:03 am and is filed under Privacy, Social Networks, Vulnerabilities, XSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: XSS Worm At Justin.tv Affects 2525 Profiles

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « «
    » »