Vulnerability in user posting in Nick.com forums

[Danny Ricci <danny () dricci com>]

I have discovered a serious flaw in the Nick.com Children's TV Site's 
message boards.

Information: Nick.com is a website for Kids whom watch the Nickelodeon 
cable channel. They offer a message board area that's moderated heavily 
to try to make it one of the safest areas on the net.

Vulnerability: When you create a user and log in to their message board 
system (powered by PeopleLink), a JavaScript window pops up with the 
forum selection and main content inside. This doesn't work too well with 
window resizing/scrolling in Mac OS X (my OS of choice) so I chose to 
open the JavaScript's html contents in a new window. This helped the 
problem, but reviled a major flaw in their user identification system. 
The URL is formed like this:
http://plnk.peoplelink.com/plnk/nickelodeon/boards40/frame.cfm?handle=ANY_USERNAME_HERE&;
intgroup=100000910

Handle means the Username of the poster. "intgroup" is the Forum/Message 
ID. You can change the "handle" part of the URL to _ANY_ name, including 
already registered names. You then can post as any username. However, 
all messages take up to 24 hours to be "approved," but if the message is 
"clean," it usually will be approved, even if the name is  fake. This 
has been tested. It was obvious that this was hidden in a JavaScript 
popup to probably cover this flaw.

I have contacted the webmaster and the domain's whois contact (which 
bounced back). Today the site announced a fix which would take place 
Monday:

Fix: Nick.com forum moderators have confirmed they will be switching to 
a new message board system this coming Monday, and leaving all former 
data behind. This appears to be due to the problem I discovered, however 
I was never contacted directly to confirm this.