Service for storing passwords and distributing them to everyone
Recently I found an interesting service - it allowed me to leave my passwords on it from different sites and, if desired, post if desired to all these sites at once from one interface.
I don’t use this myself and I don’t understand why such sites are needed, but I wondered how well the user passwords are protected on these sites?
Climbing through the service, I found a couple of holes with XSS vulnerability. But on what site they do not exist? Even on the Habr-won not all are still closed (although Habr does not store other people's passwords, it is forgivable).
')
I was even more surprised when I learned that you can only use his cookie to change the user's password and any of its information on this service. There is no such simple thing as restriction of sessions over IP, let alone the requirement to enter a password when changing critical data. And this is quite unforgivable, even at the Habré there is no such disrespect for security.
But this is not the funny thing. By chance, I discovered that if I change my email in my profile, the system happily sends a non-encrypted user password to a new email. This is not at any gate. Not only can you not even store the unencrypted user password, but send it by mail in the clear to anyone ...
It all became so interesting to me that I decided to find out what a hacker can achieve on this site?
After writing a small script and applying a bit of psychology (to get people to go to my profile that had this script), I received in clear text the passwords of about 400 service users. Considering that 80 and more percent of people use the same password on several sites (and sometimes by e-mail), and the list of sites on which the user is registered can be found directly in his profile (this is the main feature of that service, about in question), it turns out just a paradise for intruders.
By writing quite a bit of JS code, you can get access to a person’s password, post on his behalf to his other blogs (if he has configured this feature on the service), if successful (or the user’s carelessness), access his accounts on other sites.
What is this great service?
This is bestpersons.ru , whose programmers proudly wrote about the XSS found on Jaiku itself! UPD: no longer proud :(
Good luck to those who use the services, "uniting sites."
ps and they also provide OpenID;)
continuation of a story
I don’t use this myself and I don’t understand why such sites are needed, but I wondered how well the user passwords are protected on these sites?
Climbing through the service, I found a couple of holes with XSS vulnerability. But on what site they do not exist? Even on the Habr-won not all are still closed (although Habr does not store other people's passwords, it is forgivable).
')
I was even more surprised when I learned that you can only use his cookie to change the user's password and any of its information on this service. There is no such simple thing as restriction of sessions over IP, let alone the requirement to enter a password when changing critical data. And this is quite unforgivable, even at the Habré there is no such disrespect for security.
But this is not the funny thing. By chance, I discovered that if I change my email in my profile, the system happily sends a non-encrypted user password to a new email. This is not at any gate. Not only can you not even store the unencrypted user password, but send it by mail in the clear to anyone ...
It all became so interesting to me that I decided to find out what a hacker can achieve on this site?
After writing a small script and applying a bit of psychology (to get people to go to my profile that had this script), I received in clear text the passwords of about 400 service users. Considering that 80 and more percent of people use the same password on several sites (and sometimes by e-mail), and the list of sites on which the user is registered can be found directly in his profile (this is the main feature of that service, about in question), it turns out just a paradise for intruders.
By writing quite a bit of JS code, you can get access to a person’s password, post on his behalf to his other blogs (if he has configured this feature on the service), if successful (or the user’s carelessness), access his accounts on other sites.
What is this great service?
This is bestpersons.ru , whose programmers proudly wrote about the XSS found on Jaiku itself! UPD: no longer proud :(
Good luck to those who use the services, "uniting sites."
ps and they also provide OpenID;)
continuation of a story
Source: https://habr.com/ru/post/29497/
All Articles