XSS Ebuddy (responsible disclosure)


Early this morning, the security group Virtual Luminous published a vulnerability in 'Ebuddy Web Messenger' and we would like to inform you that this vulnerability had been discovered and reported to the vendor on June 5th, 2011 by DcLabs Security Research Group. In the report below you are going to find videos and references to the date when the POC was sent to the vendor and the follow up regarding the timeline for the release. - Ocultar texto das mensagens anteriores - [Discussion] - DcLabs Security Research Group advises about the following vulnerability(ies): [Software] - eBuddy Windows Live Messenger (web) [Vendor Product Description] - eBuddy is a privately-held company which owns a browser-based web and mobile messenger service supporting various instant messaging services. eBuddy was launched in 2003 under the name e-Messenger, located at www.e-messenger.net, before re-branding itself in 2006 to eBuddy. - eBuddy supports Windows Live Messenger, Yahoo! Messenger, AIM, ICQ, Google Talk, MySpace Instant Messenger and Facebook Chat using one interface. eBuddy can also be accessed from mobile platforms such as iOS, Nokia Symbian and Android. - Site: http://www.ebuddy.com [Advisory Timeline] - 05/06/2011 -> The bug was found; - 06/06/2011 -> First Contact requesting security department contact; - 06/06/2011 -> Vendor responded; - 09/06/2011 -> Advisory sent to vendor; - 15/06/2011 -> A demo movie sent to vendor showing how to exploit the flaw; - 17/06/2011 -> Vendor developing a new version; - 27/06/2011 -> Vendor fix the initial bug; - 28/06/2011 -> The application remains vulnerable and a new alert is sent to the vendor; - 30/06/2011 -> The vendor requested a new demo movie; - 05/07/2011 -> A new demo movie sent to vendor showing how to exploit the flaw; (http://www.youtube.com/watch?v=Kl-ahz4Kasg) - No vendor reply - 15/07/2011 -> Notification send to vendor requesting a status about progress of fix; - No vendor reply - 01/08/2011 -> Other notification sent to vendor; - 02/08/2011 -> Vendor responded (bug not patched); - 31/08/2011 -> Vendor was advised of the publication release; - 02/09/2011 -> Advisory Published. [Bug Summary] - The lack of input validation on the sub-nick and textarea field for - Ocultar texto das mensagens anteriores - Windows Live Messenger allows attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. An attacker can gain elevated access privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user. [Impact] - High [Affected Version] - Ebuddy Windows Live Messenger; - Other products may also be vulnerable; [Bug Description and Proof of Concept] - Exploiting the HTML-injection issue allows an attacker to execute HTML and Java Script code in the remote user context to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks may also be possible. - Moreover, Cross Site Scripting (XSS) vulnerabilities are caused due to lack of input validation. This allows malicious people to inject arbitrary HTML and script code. More info at: http://en.wikipedia.org/wiki/Cross-site_scripting All flaws described here were discovered and researched by: Rener Alberto aka Gr1nch. DcLabs Security Research Group gr1nch (at) dclabs <dot> com <dot> br [Patch(s) / Workaround] N/A [Greetz] DcLabs Security Research Group.