[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XSS Ebuddy (responsible disclosure)



Early this morning, the security group Virtual Luminous published a
vulnerability in 'Ebuddy Web Messenger' and we would like to inform
you that this vulnerability had been discovered and reported to the
vendor on June 5th, 2011 by DcLabs Security Research Group.

In the report below you are going to find videos and references to the
date when the POC was sent to the vendor and the follow up regarding
the timeline for the release.
- Ocultar texto das mensagens anteriores -

[Discussion]

- DcLabs Security Research Group advises about the following vulnerability(ies):

[Software]

- eBuddy Windows Live Messenger (web)

[Vendor Product Description]

- eBuddy is a privately-held company which owns a browser-based web
and mobile messenger service supporting various instant messaging
services. eBuddy was launched in 2003 under the name e-Messenger,
located at www.e-messenger.net, before re-branding itself in 2006 to
eBuddy.

- eBuddy supports Windows Live Messenger, Yahoo! Messenger, AIM, ICQ,
Google Talk, MySpace Instant Messenger and Facebook Chat using one
interface. eBuddy can also be accessed from mobile platforms such as
iOS, Nokia Symbian and Android.
- Site: http://www.ebuddy.com

[Advisory Timeline]

- 05/06/2011 -> The bug was found;
- 06/06/2011 -> First Contact requesting security department contact;
- 06/06/2011 -> Vendor responded;
- 09/06/2011 -> Advisory sent to vendor;
- 15/06/2011 -> A demo movie sent to vendor showing how to exploit the
flaw;
- 17/06/2011 -> Vendor developing a new version;
- 27/06/2011 -> Vendor fix the initial bug;
- 28/06/2011 -> The application remains vulnerable and a new alert is
sent to the vendor;
- 30/06/2011 -> The vendor requested a new demo movie;
- 05/07/2011 -> A new demo movie sent to vendor showing how to exploit
the flaw; (http://www.youtube.com/watch?v=Kl-ahz4Kasg)
- No vendor reply
- 15/07/2011 -> Notification send to vendor requesting a status about
progress of fix;
- No vendor reply
- 01/08/2011 -> Other notification sent to vendor;
- 02/08/2011 -> Vendor responded (bug not patched);
- 31/08/2011 -> Vendor was advised of the publication release;
- 02/09/2011 -> Advisory Published.


[Bug Summary]

- The lack of input validation on the sub-nick and textarea field for
- Ocultar texto das mensagens anteriores -
Windows Live Messenger allows attackers to bypass client-side security
mechanisms normally imposed on web content by modern browsers. An
attacker can gain elevated access privileges to sensitive
page-content, session cookies, and a variety of other information
maintained by the browser on behalf of the user.

[Impact]

- High

[Affected Version]

- Ebuddy Windows Live Messenger;
- Other products may also be vulnerable;

[Bug Description and Proof of Concept]

- Exploiting the HTML-injection issue allows an attacker to execute
HTML and Java Script code in the remote user context to steal
cookie-based authentication credentials or to control how the site is
rendered to the user; other attacks may also be possible.

- Moreover, Cross Site Scripting (XSS) vulnerabilities are caused due
to lack of input validation. This allows malicious people to inject
arbitrary HTML and script code. More info at:
http://en.wikipedia.org/wiki/Cross-site_scripting

All flaws described here were discovered and researched by:

Rêner Alberto aka Gr1nch.
DcLabs Security Research Group
gr1nch (at) dclabs <dot> com <dot> br

[Patch(s) / Workaround]

N/A

[Greetz]
DcLabs Security Research Group.