Netvibes XSS Hole On Homepage
This will seem like an odd post at first. Netvibes is vulnerable to XSS. “Wow” you’re saying, “Who cares? Practically every website is.” This one was a little different than most. What I noticed on a random blog site was the initial URL. What happened was that the URL itself was pretty tame. Just a redirection back to the homepage. In that redirection a cookie was set. Can you see where I’m going with this?
So upon redirection to the site there was no XSS in the URL string, it was, in fact Netvibes’ homepage. The problem is that Netvibe’s homepage is dynamically constructed and looks at those cookies. Those cookies contain our XSS script. They even try to take account XSS by escaping quotes. Alas, that’s pretty trivial to get out of.
So Netvibes takes the cookie and transforms it into JavaScript to do some tests on it. Meanwhile we have broken out of the JavaScript string and now control the webpage. Not just any web page, but the home page. This is what I’ve been talking about with muddying the waters. Instead of this being a simple HTML injection issue that would have been very cut and dry to fix, now they have to fix it in two places, both the JavaScript and perhaps the server side if it is expecting angle brackets to not be encoded. Additionally it also might require a change to the cookie writing code itself (although that probably wouldn’t stop me anyway, as I could forge my own cookies with Flash).
Netvibes is only interesting because of the sheer volume of users who could be phished and because it affects their homepage. It’s also interesting because I’ve heard of a few tools that might try to take into account the URL of the page you are on, and in this case unless it also counted redirections that protection would fail. I know I have a few Netvibes users, so unless you typed in the URL by hand, be careful!
October 25th, 2006 at 1:51 am
And all these Web2 platforms are interconnected…
Netvibes allows you to display your gmail or yahoo emails, pictures from your flickr account and more. :-/
I don’t use these modules to protect my privacy but a lot of users do.
October 25th, 2006 at 5:38 am
“Who cares? Practically very website is.”
I’m guessing FireFox 2.0 spell checker made ‘evry’ into ‘very’
October 25th, 2006 at 7:39 am
Thank you very much for discovering this vulnerability. Thanks to your help we were abble to fix it. In case you discover some other holes don’t hesitate to contact us. Again, thanks a lot.
October 25th, 2006 at 8:09 am
Devloop, you’re exactly right. That’s a pretty good example of why when you are using single sign-on (or a single choke point for security) your entire security chain is only as strong as that single choke point. I might write more about that issue in the future.
DanielG, oops… thanks, I fixed it.
Franck, you’re welcome, but that’s not the only one, just probably the most serious one. Maluc found another: http://sla.ckers.org/forum/read.php?3,44,page=22#msg-2150
October 25th, 2006 at 8:57 am
The one Maluc found has been fixed too… and we are searching and fixing all the others which could remain.
October 25th, 2006 at 11:25 am
Well done. It’s great seeing such quick turn around!
October 26th, 2006 at 12:38 am
[…] After I read the blog post of RSnake in which he shows an XSS at netvibes.com I also thought that I should have a look at this webservice. First I have to say that the guys there have done a great job, this service really shows what the mysterious Web 2.0 is. On the other hand I have to look at it from the security point of view. There I think they also did well but it’s not completely secure (that would be nearly impossible for such a big webapp), so I found some security holes in a relatively short time. I hope they will patch it as soon as possible. […]