Second Life Avatars To Be United With Cross Site Scripting Exploits – Again???

by Alphaville Herald on 14/02/10 at 8:42 pm

Two apparent security holes found Linden Lab's new social media site in one week

by Pixeleen Mistral and Senban Babii

Bioworm 

Avatars United security issue reported February 7 is followed by nearly identical hole on February 12

After Alphaville Herald reporter Senban Babii quietly notified the Avatars United web site of a potentially exploitable problem in Linden Lab's new Facebook for avatars social media web site February 7th, the Herald staff was gratified to hear from Fredrik Björk, Co-founder & CTO of Avatars United that the issue had been addressed on February 8th.

If only the story had ended there.

The problem Ms. Babii reported allowed for injection of javascript in Avatars United "shouts" – messages sent between accounts in Avatars United. By permitting javascript to be entered into the text area for "shouts", an entire class of cross site scripting exploits are possible – including automatic redirection of users' web browsers to malicious sites. Rather than immediately running a story, we were happy to give Avatars Unlimited a reasonable chance to close their security hole, and looked forward to a safer social avatar experience for everyone at Avatars United.

We also assumed that after Mr. Björk fixed the immediate problem, he would take a close look at the rest of the AU site for similar exploits. So it came as a surprise to find that the slapt.me forum buzzing today with news of another very similar exploit – this time for the Avatars United blog tool.

Once again, by allowing users to enter javascript in text displayed to other users, the potential exploit allows for automatic redirects to potentially malicious web sites. Unfortunately, Isoz Bioworm is evidently a bit less circumspect than the Herald, and created a Vimeo video illustrating in detail the potential exploit of the blog tool. Ms. Bioworm's cinema verite is titled avatarsunited security hole 12 feb 2010  on Vimeo and is linked to from the wordmess tumblr web site.

On Ms. Bioworm's Vimeo video page, she claims to have contacted the Avatars United staff without a response, and while this demonstration of forcibly redirecting an AU session to Google seems innocent enough, the episode raises troubling questions.

One might wonder at the Lab's sudden compulsion to compete with Facebook via an insecure and immature Avatars Unlimited site. How much due diligence was done on the AU technology before herding the Second Life community to a site without identity verification, and what is now appears to be a string of  security issues? While we understand that Avatars United is still a test site, perhaps Mr. Björk will want to correct the newest issue? Soon? 

Senban Babii warns Avatars United of a problem:

From: senbanbabii@[elided]
To: info@avatarsunited.com
Subject: Security Issue With Avatars United
Date: Sun, 7 Feb 2010 21:11:18 +0000

Hi
 
Earliertoday, I noticed that the Avatars United social networking site has apotentially seriously security issue.  Could you therefore please passon the follow information to the appropriate members of the team sothat the issue can be dealt with rapidly?  Thanks in advance.
 
WhileI was logged into AU this afternoon, I decided to look into whether thehtml/javascript injection method was possible on the site.  I shouldadd that this was not in any way with a view to exploiting such amethod if one was found.  It was purely from habit as looking for suchissues is a small part of my job and I tend to do such things almost onautopilot.  I was very surprised to find that it was indeed possible toinject html/javascript into my page.  I shall give you the detailsbelow so you know exactly what I did.

[exploit description elided]

the response from Avatars United:

CC: info@avatarsunited.com
From: fredrik@[elided]
To: senbanbabii@[elided]
Subject: Re: Security Issue With Avatars United
Date: Mon, 8 Feb 2010 12:28:33 +0100

Hi Senban,

thank you for reporting this! This issue has now been fixed.

Please let us know if you should find other similar issues on the site and we'll do our best to fix them.

Cheers,

Fredrik Björk
Co-founder & CTO

Avatars United
[www.avatarsunited.com]

Enemy Unknown AB
Phone [elided]

14 Responses to “Second Life Avatars To Be United With Cross Site Scripting Exploits – Again???”

  1. deadlycodec

    Feb 14th, 2010

    A lot of companies are like that. I have, for example, reported an SQL injection vulnerability that could be exploited on a server running Coldfusion v8. It was patched, after I told a few people what their passwords were. So they started using CFQUERYPARAM in that one integer field, but didn’t bother to check others, and as a result they left several gaping security holes unaddressed because they only paid attention to the specific vulnerability that I directed them to. Sadly, this is very common. And XSS and SQLi are often easy to detect (if you know what you’re doing – grats Senban and Pix), because often automated software can even pick up on these particular vulnerability classes. I suppose the exception is for SQLi when errors are turned off in PHP.ini (or the equivalent when using other server-side scripting languages) and the vuln is in the WHERE clause of an SQL query, which is typically a little bit more complicated to exploit (blind sql injection).

    Interesting story though. Had no idea the lab owned that site.

  2. isoz

    Feb 15th, 2010

    “…Isoz Bioworm is evidently a bit less circumspect than the Herald…”

    I sent them an e-mail regarding this issue, but no answer was provided, so I tought of making the video, maybe they open their eyes that way.

    Oh… and theres like 3 more high critical level exploitable places inside AU… details to be provided soon…

  3. “Please let us know if you should find other similar issues on the site and we’ll do our best to fix them.”

    I ran this through Google translate using Corpspeak->English:

    “Please continue to function as an unpaid security consultant to our company.”

  4. isoz

    Feb 15th, 2010

    “Please continue to function as an unpaid security consultant to our company.”

    Yes, agreed with the last comment, thats pretty much what I mean’t.

  5. isoz

    Feb 15th, 2010

    Lol deadlycodec, you would find much funnier the php shell I got on AU :D

    ‘SQL DUMP’ NAW?

  6. deadlycodec

    Feb 15th, 2010

    @isoz

    File inclusion eh? Or code injection? Assuming file inclusion, as that’s one of the most common means for installing PHP shells. Yeah, they’re pretty insecure if you’re able to use that. Man, I set my disable_functions directive in php.ini to disable most php functions that can be used to interact with the underlying OS….keep those open and someone finds a code injection vuln or file inclusion, and you’re owned. After that escalating to root isn’t difficult in most situations. Start checking setuid binaries for bof, if you can nab passwords from server configs, break the encryption if they’re encrypted, rule of password re-use. They might just have a privileged account using the same password. More common than I had thought that first.

    Yeah RFI is still pretty common and SQLi is going to become even more common because certain functions for filtering input are going to be removed in PHP 6.

    >Please continue to function as an unpaid security consultant to our company.

    Nothing wrong with that if you enjoy doing it. God knows I do it, when I have the time <3. Hell, I found some XSS vulns in typepad awhile back. It doesn’t effect blogs using typepad, just their domain. Might have been the sixapart domain. I’ll see if I can dig up the details and send them to Pix in the next week or two, if she wants them. Busy right now working on my server, when I’m not too tired to use a computer.

  7. At0m0 Beerbaum

    Feb 16th, 2010

    very few companies write code with security in mind. They just write it as to get it up and working quickly, security and efficiency be damned. Just look at SL.

  8. deadlycodec

    Feb 16th, 2010

    “Start checking setuid binaries for bof, if you can nab passwords from server configs, break the encryption if they’re encrypted, rule of password re-use. They might just have a privileged account using the same password. More common than I had thought that first.”

    Just want to clarify that I am not encouraging computer crime here. Was talking about procedures for escalation after getting a shell. IMO you should uninstall that and report the vulnerability. If you’re in the US, and they can track you, they’re prob going to prosecute you. Not worth the trouble, and you can get more cred (and maybe a career) by reporting vulns, instead of using them for nefarious ends. These days, convicted blackhats seldom find work in the security community, with the most recent exception being Kevin Mitnick. I guess you could say Max Vision too, but he was getting $100/hr before he got convicted and sent to prison for 18 months for breaking into the Pentagon and other various computer systems. After he got out, he begged and begged for work, and was completely destitute. Later, someone did give him work, for minimum wage in SoCal of all places. He ended up getting involved in this credit card scam with some guys he met in prison and now he’s going away for 13 years with a fine in excess of $25 million. His life is basically ruined, and he’s a shining example for us as to just how broken our system is. The guy is a victim of the system. The punishment didn’t fit the crime, and it seldom does these days.

    Hacking is fascinating, and I, of all people, can understand how difficult it can be to learn at a certain point, without being able to experiment in ‘real-world’ scenarios. This is a common problem during the evolution of a hacker, and sadly, it’s where many end up getting into trouble.

    Whatever you do though, just don’t damage anything or do anything malicious. Keep a clear conscience.

  9. isoz

    Feb 16th, 2010

    deadly… “Kevin Mitnick” … hmm right lol :3 he got hacked several times last year…

    The worst in the hacking scenario is that people don’t understand you… they think we/I am a criminal for being curious about how things work, and to take the challenge to break-in something, not to steal data, but to test myself into it.

    People only hear what the Media tell them…

    “>Please continue to function as an unpaid security consultant to our company.”

    Completely agree with that comment, they are a company being paid to support and secure the site…If they can’t do it then GTFO… I’m not giving them my knowledge for free… In the end of the day, they are happy and getting paid for my work…

    By the way theres a new video.. me uploading an .html file into the profile picture… it accepts several extensions, such as PHP.

    http://vimeo.com/9485913

  10. deadlycodec

    Feb 17th, 2010

    “deadly… “Kevin Mitnick” … hmm right lol :3 he got hacked several times last year…”

    Could be wrong, but I believe it was actually his phone company that got hacked several times, because they were only using 4 digit pins for authentication which means there was only a few thousand possible combinations. The company actually terminated his account because hackers kept targeting him. Even if I’m wrong, even the best can be hacked. Pit the minds of thousands of ambitious hackers against a single mind, and even great minds like Mitnick’s won’t match up. A lot of hackers targeted him because he was so famous, and for a hacker, being able to say ‘I owned mitnick’ was (still is in many circles) pretty leet. But it’s always easier to break into computers than it is to secure them. With the latter, you have to take every possibility into account. With the former, you only need to find a single solitary weakpoint.

    “Completely agree with that comment, they are a company being paid to support and secure the site…If they can’t do it then GTFO… I’m not giving them my knowledge for free… In the end of the day, they are happy and getting paid for my work…”

    Depends on whether you hack with profit in mind, or you genuinely enjoy doing it. Another thing, there is a reason why some companies hand out free samples – it’s a great marketing tactic, and keeps everyone happy. They might be standoffish, but the next time they have a security problem, they’ll prob think of you. You’ll be more likely to get business that way. If you get arrested and convicted of computer crimes, no one will ever pay you to do security work.

    Just trying to give you some friendly advice.

  11. deadlycodec

    Feb 17th, 2010

    BTW, that’s pretty impressive haxin there. Wouldn’t have thought they would introduce such a gaping hole, but they’re always in places where people are far less likely to look. Good job on finding that.

  12. isoz

    Feb 18th, 2010

    “Hi isoz,

    thanks again for finding these vulnerabilities and reporting them to us.

    We’ve deployed new versions of the apps that had the XSS vulnerabilities.

    Please do let us know if should you find other security related issues!

    Regards,…”

    < << SURE! <

    The exploits shown in the videos are now 'Fixed'...Guess they been reading the blog.. lol Theres more exploits on the 'Groups' and others, which ill keep secret for now...

    deadlycodec mind sharing contact details? if so send it to isoz@null.net, thx!

  13. [...] in February, Alphaville Herald had reported on the security holes of this newfangled social networking site for avatars. Some residents even questioned the necessity [...]

Leave a Reply