lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070617193622.D443F22822@mailserver9.hushmail.com>
Date: Sun, 17 Jun 2007 20:36:22 +0100
From: <ljuser@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: [LJVN-0001] Livejournal.ru non-persistent XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary
=======
Livejournal.ru non-persistent XSS leaks livejournal.com user name
and may allow cookie-stealing attacks on livejournal.ru itself.
Attack works on users that have never visited livejournal.ru - only
requirement is that they are logged in to livejournal.com.

Details
=======
Livejournal.ru is a partner site (run by SUP Fabrik) of the widely-
used journal/blog site livejournal.com. There is cross-site
authentication so that users only have to log in to livejournal.com
to be authenticated at both sites.

A livejournal user has noticed and publicly described (at
http://community.livejournal.com/no_lj_ads/62908.html) an XSS
security hole in http://www.livejournal.ru/ratings/posts.

This is compounded by the fact that, on visiting this URL,
livejournal.ru uses a modified form of OpenID to automatically sign
the user in using their livejournal.com identity and return them to
the URL. (Unlike normal OpenID, this happens without any user
interaction.) The user does not need to have registered with
livejournal.ru for this to work.

Proof-of-concept URL (should display a javascript alert with your
livejournal user name if you are logged in to livejournal.com):

http://tinyurl.com/2duogt
 http://www.livejournal.ru/ratings/posts?search=%22%3E%3Cscript%3Eal
ert%28%27Preved%2C+%27%2Bdocument.getElementById%28%27user%27%29.val
ue%2B%27%21%27%29%3C%2Fscript%3E

The obvious way to exploit this is for a website to use it to
obtain visitors' livejournal user names without their permission.
The site owners can then view the visitors' livejournal profiles
and publicly-viewable journal entries, revealing private and semi-
private information that the visitors didn't expect the website to
be able to link to their visit.

It shouldn't be possible to use this to compromise users'
livejournal.com accounts (due to the use of OpenID for
authentication), but it seems likely that a cookie-stealing attack
on livejournal.ru is possible.

This is also not a compromise of OpenID - livejournal.com have
deliberately whitelisted livejournal.ru and added a means for them
to obtain the correct OpenID identity URL (which would otherwise
have to be manually entered by the user).

Vendor notification
===================
None by me; I can't speak Russian. It has been public knowledge for
several weeks, and it's time the security community knew about it.

Workaround
==========
Use custom styles on your journal to insert bogus OpenID
information in its head element, breaking the OpenID
authentication. Then delete all livejournal.ru cookies. Note that
this will prevent you from logging into livejournal.ru and other
OpenID-enabled sites using your livejournal as your identity.

Alternatively, don't visit untrustworthy sites whilst logged in to
livejournal.

Even better, don't log in to livejournal.

Lessons
=======
Be careful which external websites you set up transparent single-
sign-on for. Even if the SSO is done securely and the site owner is
trustworthy, security vulnerabilities in the partner site may have
undesirable privacy implications.

Greetz to bantown, revmischa and bradfitz.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkZ1jRAACgkQ3eAm93S+uMTMSgP7BsSBLjoZ21xh6W27Li5vdYdqNz0c
NVonpGIGMW/V7Eo3ukHTw3JBr9D8UIzXkpzie12l1zOizaxN02E0So7TJVAwBHmNhpNO
1ZRQotj1hpTQfPUTO9ONFSsAKiW8ZyalgXKy9HidFbQF1w0z3Gh0qCxo5NjLJW38fbmM
3OMetfo=
=CeRm
-----END PGP SIGNATURE-----

--
Click to become an artist and quit your boring job
http://tagline.hushmail.com/fc/CAaCXv1P27wFyqZyj6SnZr646r98O36K/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ