Tuesday, July 21, 2009

MoTB #21: Multiple vulnerabilities in Ping.fm

What is Ping.fm
"Ping.fm is a simple and FREE service that makes updating your social networks a snap!" (Ping.fm home page)

Twitter affect
Ping.fm can be used to send tweets by sending them via their website, email, or SMS.
Ping.fm is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
8th place in the most used twitter clients - 4.5 twits

1) Cross-Site Request Forgery in the SMS Phone No. Settings page.
Status: Patched.
Details: Ping.fm SMS phone number settings page did not use authenticity code in order to validate that the HTTP request POST is coming from the Ping.fm web application.
This could have been used by an attacker to send tweets on behalf of its victims, by simply sending an SMS to Ping.fm.

2) Reflected Cross-Site Scripting in the "Ping This!" page.
Status: Patched.
Details: The Ping.fm "Ping This!" page did not encode HTML entities in the "link" variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://ping.fm/ref/?link=xxx%22+style="color:expression(document.body.onload=function(){alert('XSS')})

Vendor response rate
The vulnerabilitles were fixed several hours after they have been reported. Excellent - 5 twits.


Post a Comment

<< Home