Full Disclosure mailing list archives
[LJVN-0001] Livejournal.ru non-persistent XSS
From: <ljuser () hushmail com>
Date: Sun, 17 Jun 2007 20:36:22 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary ======= Livejournal.ru non-persistent XSS leaks livejournal.com user name and may allow cookie-stealing attacks on livejournal.ru itself. Attack works on users that have never visited livejournal.ru - only requirement is that they are logged in to livejournal.com. Details ======= Livejournal.ru is a partner site (run by SUP Fabrik) of the widely- used journal/blog site livejournal.com. There is cross-site authentication so that users only have to log in to livejournal.com to be authenticated at both sites. A livejournal user has noticed and publicly described (at http://community.livejournal.com/no_lj_ads/62908.html) an XSS security hole in http://www.livejournal.ru/ratings/posts. This is compounded by the fact that, on visiting this URL, livejournal.ru uses a modified form of OpenID to automatically sign the user in using their livejournal.com identity and return them to the URL. (Unlike normal OpenID, this happens without any user interaction.) The user does not need to have registered with livejournal.ru for this to work. Proof-of-concept URL (should display a javascript alert with your livejournal user name if you are logged in to livejournal.com): http://tinyurl.com/2duogt http://www.livejournal.ru/ratings/posts?search=%22%3E%3Cscript%3Eal ert%28%27Preved%2C+%27%2Bdocument.getElementById%28%27user%27%29.val ue%2B%27%21%27%29%3C%2Fscript%3E The obvious way to exploit this is for a website to use it to obtain visitors' livejournal user names without their permission. The site owners can then view the visitors' livejournal profiles and publicly-viewable journal entries, revealing private and semi- private information that the visitors didn't expect the website to be able to link to their visit. It shouldn't be possible to use this to compromise users' livejournal.com accounts (due to the use of OpenID for authentication), but it seems likely that a cookie-stealing attack on livejournal.ru is possible. This is also not a compromise of OpenID - livejournal.com have deliberately whitelisted livejournal.ru and added a means for them to obtain the correct OpenID identity URL (which would otherwise have to be manually entered by the user). Vendor notification =================== None by me; I can't speak Russian. It has been public knowledge for several weeks, and it's time the security community knew about it. Workaround ========== Use custom styles on your journal to insert bogus OpenID information in its head element, breaking the OpenID authentication. Then delete all livejournal.ru cookies. Note that this will prevent you from logging into livejournal.ru and other OpenID-enabled sites using your livejournal as your identity. Alternatively, don't visit untrustworthy sites whilst logged in to livejournal. Even better, don't log in to livejournal. Lessons ======= Be careful which external websites you set up transparent single- sign-on for. Even if the SSO is done securely and the site owner is trustworthy, security vulnerabilities in the partner site may have undesirable privacy implications. Greetz to bantown, revmischa and bradfitz. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkZ1jRAACgkQ3eAm93S+uMTMSgP7BsSBLjoZ21xh6W27Li5vdYdqNz0c NVonpGIGMW/V7Eo3ukHTw3JBr9D8UIzXkpzie12l1zOizaxN02E0So7TJVAwBHmNhpNO 1ZRQotj1hpTQfPUTO9ONFSsAKiW8ZyalgXKy9HidFbQF1w0z3Gh0qCxo5NjLJW38fbmM 3OMetfo= =CeRm -----END PGP SIGNATURE----- -- Click to become an artist and quit your boring job http://tagline.hushmail.com/fc/CAaCXv1P27wFyqZyj6SnZr646r98O36K/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [LJVN-0001] Livejournal.ru non-persistent XSS ljuser (Jun 17)