Cenzic 232 Patent
Paid Advertising
web application security lab

Netvibes XSS Hole On Homepage

This will seem like an odd post at first. Netvibes is vulnerable to XSS. “Wow” you’re saying, “Who cares? Practically every website is.” This one was a little different than most. What I noticed on a random blog site was the initial URL. What happened was that the URL itself was pretty tame. Just a redirection back to the homepage. In that redirection a cookie was set. Can you see where I’m going with this?

So upon redirection to the site there was no XSS in the URL string, it was, in fact Netvibes’ homepage. The problem is that Netvibe’s homepage is dynamically constructed and looks at those cookies. Those cookies contain our XSS script. They even try to take account XSS by escaping quotes. Alas, that’s pretty trivial to get out of.

So Netvibes takes the cookie and transforms it into JavaScript to do some tests on it. Meanwhile we have broken out of the JavaScript string and now control the webpage. Not just any web page, but the home page. This is what I’ve been talking about with muddying the waters. Instead of this being a simple HTML injection issue that would have been very cut and dry to fix, now they have to fix it in two places, both the JavaScript and perhaps the server side if it is expecting angle brackets to not be encoded. Additionally it also might require a change to the cookie writing code itself (although that probably wouldn’t stop me anyway, as I could forge my own cookies with Flash).

Netvibes is only interesting because of the sheer volume of users who could be phished and because it affects their homepage. It’s also interesting because I’ve heard of a few tools that might try to take into account the URL of the page you are on, and in this case unless it also counted redirections that protection would fail. I know I have a few Netvibes users, so unless you typed in the URL by hand, be careful!

7 Responses to “Netvibes XSS Hole On Homepage”

  1. devloop Says:

    And all these Web2 platforms are interconnected…
    Netvibes allows you to display your gmail or yahoo emails, pictures from your flickr account and more. :-/
    I don’t use these modules to protect my privacy but a lot of users do.

  2. DanielG Says:

    “Who cares? Practically very website is.”

    I’m guessing FireFox 2.0 spell checker made ‘evry’ into ‘very’ ;-)

  3. Franck Mahon Says:

    Thank you very much for discovering this vulnerability. Thanks to your help we were abble to fix it. In case you discover some other holes don’t hesitate to contact us. Again, thanks a lot.

  4. RSnake Says:

    Devloop, you’re exactly right. That’s a pretty good example of why when you are using single sign-on (or a single choke point for security) your entire security chain is only as strong as that single choke point. I might write more about that issue in the future.

    DanielG, oops… thanks, I fixed it.

    Franck, you’re welcome, but that’s not the only one, just probably the most serious one. Maluc found another: http://sla.ckers.org/forum/read.php?3,44,page=22#msg-2150

  5. Franck Mahon Says:

    The one Maluc found has been fixed too… and we are searching and fixing all the others which could remain.

  6. RSnake Says:

    Well done. It’s great seeing such quick turn around!

  7. Attacking netvibes.com at Disenchant’s Blog Says:

    […] After I read the blog post of RSnake in which he shows an XSS at netvibes.com I also thought that I should have a look at this webservice. First I have to say that the guys there have done a great job, this service really shows what the mysterious Web 2.0 is. On the other hand I have to look at it from the security point of view. There I think they also did well but it’s not completely secure (that would be nearly impossible for such a big webapp), so I found some security holes in a relatively short time. I hope they will patch it as soon as possible. […]