Millions of Users at risk on www.in.com

See the screen-shots for the proof of the bug.

How it is done? and what are the consequences?

Any user can trigger a script and redirect user to any fake page or any web-link through this security bug.

In.com is Indian counterpart of last.fm and million of users are registered on this website.

We hope builders of this site will read this and would take serious action before some one become   victim of this vulnerability.

The bug which is in the http://mail.in.com/mails/inbox.php ,called XSS.There is lack of Filtration/Validation in INBOX,SENT,DELETED.(http://mail.in.com/mails/inbox.php).In web application.

Briefing:-

For Technical users:
Cross Site Scripting (XSS) is an attempt to bypass input validation and give the attacker the means to inject content into the page. This content can be used to trick the user into disclosing sensitive information, execute actions via existing credentials, and so on. Even a CSRF attack can be mounted through the initial XSS hole, so in some ways, XSS is an exploit with nearly limitless possibilities. Unfortunately, XSS is also extremely common, arguably the biggest bane of web applications, affecting both large and small sites.

For the common users
Who don’t know anything about technical web building and security. Xss can define as
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users (source:wiki)

with help of this vulnerability computer hacker can make following harm to user/organization :

* * Identity theft
* * Accessing sensitive or restricted information
* * Gaining free access to otherwise paid for content
* * Spying on user’s web browsing habits
* * Public defamation of an individual or corporation
* * Web application defacement

Solution:-
Preventing Cross Site Scripting attacks
To prevent these attacks, dangerous characters must be filtered out from the web application inputs. These characters should be filtered out both in their ASCII and HEX values.

What are the risk?

Any one can redirect other user to fake page or any link through this exploit.

Note:-
This article only to make users aware about computer security.and for people can save themselves from the damage. Do not use this article to harm anyone.(I will not responsible for anything)

Subscribe to the feeds for more update on this.

Make other aware of this security risk by stumble and digging this article.

The hack credit goes to my friend D3monoid of download arena.

Related posts:

1. Wordpress 2.8.4 Released due to a Serious Security Risk
2. Get PC-Tools Internet Security license of 1 year for free
3. Wordpress Users Photo Plugin : Gravatar Alternative for Wordpress Membership website
4. Gmail Enhanced security with Default HTTPS
5. Optimize your Blog for iPhone users
6. Wordpress Users plugin for Wordpress membership site
7. Twitter updated @replies usage, Users considering it as #Twitterfail
8. Rapidshare Security update : Rapidshare phishing warning

Tagged as: Safety, security