1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SWIM - Medium Size Site - All Accounts Comprimised

Discussion in 'Social Networking Sites' started by divinci, Jan 18, 2010.

  1. divinci

    divinci Junior Member

    Joined:
    Sep 25, 2007
    Messages:
    111
    Likes Received:
    15
    Hi all,

    SWIM is writing a proof of concept about a vuln in a medium size social networking site
    (39K/day hits - top 80K alexa traffic rank - top 20K alexa US traffic rank)

    So basically SWIM tells me it allows jscript to be run client side, on each profile view. When a logged in user visits an infected profile, their profile too gets infected - exponential growth - similar to hxxp://namb.la/popular

    The worm then hides itself from user - only viewing the source will see the script tag. Also impossible once infected to clean - would need an admin to UPDATE WHERE CONTAINS the database.

    Possibilities? well due to the ajax object, anythin the logged in user can do - the worm can do.. (messaging, posting, scraping, password)

    ANYHOW! SWIM - knowing I am black hat has asked me to see of any non - intrusive | non-destructive ways to make some dosh - FOR INCLUSION IN HIS POC :)

    ** NOTE worm can be cleaned at any time by master control **
     
  2. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    Simplest of all, clickjacking - fraud. Of course, I am not advocating that.

    Is he selling this vuln at any known 0-day buying companies? He could get some good legit money.
     
  3. divinci

    divinci Junior Member

    Joined:
    Sep 25, 2007
    Messages:
    111
    Likes Received:
    15
    just on my way home, will bbl for any PMs
     
  4. divinci

    divinci Junior Member

    Joined:
    Sep 25, 2007
    Messages:
    111
    Likes Received:
    15
    hmm well - SWIM doesnt have the infastructure for click fraud...

    CPA
    change the profile page DOM - new tab - new features - enter email etc.....

    but cpa = boring..

    maybe the site have new webcam section/soft..