Millions of Users at risk on www.in.com

by Harsh Agrawal on November 30, 2008

in Safety, security

-::Millions users at risk on www.in.com::-
Unfortunately,designing team of www.in.com forgot to fix one of serious vulnerability Users cookie can be easily stolen using this flaw , or user canĀ  be redirected to any website (phishing website) with the help of it.

See the screen-shots for the proof of the bug.

How it is done? and what are the consequences?

Any user can trigger a script and redirect user to any fake page or any web-link through this security bug.

In.com is Indian counterpart of last.fm and million of users are registered on this website.

in test 300x225

in result

We hope builders of this site will read this and would take serious action before some one becomeĀ  victim of this vulnerability.

The bug which is in the http://mail.in.com/mails/inbox.php ,called XSS.There is lack of Filtration/Validation in INBOX,SENT,DELETED.(http://mail.in.com/mails/inbox.php).In web application.

Briefing:-

For Technical users:
Cross Site Scripting (XSS) is an attempt to bypass input validation and give the attacker the means to inject content into the page. This content can be used to trick the user into disclosing sensitive information, execute actions via existing credentials, and so on. Even a CSRF attack can be mounted through the initial XSS hole, so in some ways, XSS is an exploit with nearly limitless possibilities. Unfortunately, XSS is also extremely common, arguably the biggest bane of web applications, affecting both large and small sites.

For the common users
Who don’t know anything about technical web building and security. Xss can define as
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users (source:wiki)

with help of this vulnerability computer hacker can make following harm to user/organization :

* * Identity theft
* * Accessing sensitive or restricted information
* * Gaining free access to otherwise paid for content
* * Spying on user’s web browsing habits
* * Public defamation of an individual or corporation
* * Web application defacement

Solution:-
Preventing Cross Site Scripting attacks
To prevent these attacks, dangerous characters must be filtered out from the web application inputs. These characters should be filtered out both in their ASCII and HEX values.

What are the risk?

Any one can redirect other user to fake page or any link through this exploit.

Note:-
This article only to make users aware about computer security.and for people can save themselves from the damage. Do not use this article to harm anyone.(I will not responsible for anything)

Subscribe to the feeds for more update on this.

Make other aware of this security risk by stumble and digging this article.

The hack credit goes to my friend D3monoid of download arena. :)

If you enjoyed this post, make sure you subscribe to my RSS feed!

Related posts:

  1. Optimize your website for iPhone users
  2. Dreamhost offering2 year free webhosting for Yahoo Geocities users
  3. Twitter updated @replies usage, Users considering it as #Twitterfail
  4. Is Someone Copying Your Blog??
  5. Facebook Users : Trendy Username Instead of Ugly Numbers
  6. Ignore Chat messages link with heysan.com
  7. How to import your blogger posts, comments, users from blogspot to wordpress

Tagged as: Safety, security

Previous post: TRY ME : Refresher for you!

Next post: How to moderate wordpress comment from the desktop?

Article by Harsh Agrawal

Harsh has written 702 articles .

If you like This post, you can follow Shoutmeloud on Twitter.

Subscribe to Shoutmeloud feed via RSS or EMAIL to receive instant updates.

Shoutmeloud is a revenue sharing blog, Write for us and make money. Read here for more info

{ 8 comments… read them below or add one }

1 stiennon December 4, 2008 at 12:46

Great analysis. Have you attempted to contact in.com? Try abuse@in.com

-RS

Reply

2 Jim Gaudet December 4, 2008 at 13:54

the only to block something is to know about it.

Reply

3 Monty - Sensonize.com December 4, 2008 at 16:06

Good one! Fake Page URL can be inserted there.. Or even worst.. a cookie stealer!

Reply

4 P@r@noid December 4, 2008 at 20:32

Twitter: @denharsh

@ stiennon

that was the first thing i did, when my friend demonoid discovered the bug but seems like they are very reluctant to fix it!!

Reply

5 Edna December 4, 2008 at 22:03

I checked out the Script insertion vulnerability, but it doesn’t seem to affect anybody but your own account (as, if you were to script an outbound mail, the only one who will see it in its full unscripted form will be you (as they seem to be filtering the outbound mai, and inbound mail itself for JS), so the headline that says “Milllions of users affected” is untrue.. it can only affect your own account, and you can’t acually steal anybody else’s cookies at all…because nobody else but you get to see your sent box..

Reply

6 BAS December 6, 2008 at 06:34

nice find

Reply

7 P@r@noid December 6, 2008 at 13:06

Twitter: @denharsh

Finally In.com replied to my mail

“Thank you for contacting IN.COM,

We have fixed the bug. It is gr8 help from you side.

Regards
Team In.com”

Reply

8 d3monoid March 19, 2009 at 19:41

Twitter: @hirenpandya

Thanks man!! for crediting me! :)

Reply

Leave a Comment

CommentLuv Enabled