Today I found that my blog was hacked and an XSS vulnerability of blogger exploited.
So, What Happened?
1) Basically, somehow, someone had managed to post two new blog entries in my blog like so
2)I did some tests and it seems the "body" entry area for Blogger allows you to enter any script code you want, and Blogger does not check or filter out possible XSS attacks. Here is an example
3) As these new blog posts appear right on top when someone visited my blog they were redirected to the bad urls. As I also have friendfeed polling my new blog entries into my facebook account, these bad blog entries also made its way onto my facebook profile (Talk about a "Viral XSS Attack"!).
From doing some research on Google, it seems that this blogger XSS vulnerability is a well known issue, but the million dollar question is:
How the heck did someone post new blog entries using my Blogger account?
Obviously I have changed my password, but suspect,
* It was probably done using some other remote blog entry submission, possible via an API?
* Or by someone stealing my HTTP cookies (Not sure how that can be used though)
Any ideas anyone?
So, What Happened?
1) Basically, somehow, someone had managed to post two new blog entries in my blog like so
2)I did some tests and it seems the "body" entry area for Blogger allows you to enter any script code you want, and Blogger does not check or filter out possible XSS attacks. Here is an example
3) As these new blog posts appear right on top when someone visited my blog they were redirected to the bad urls. As I also have friendfeed polling my new blog entries into my facebook account, these bad blog entries also made its way onto my facebook profile (Talk about a "Viral XSS Attack"!).
From doing some research on Google, it seems that this blogger XSS vulnerability is a well known issue, but the million dollar question is:
How the heck did someone post new blog entries using my Blogger account?
Obviously I have changed my password, but suspect,
* It was probably done using some other remote blog entry submission, possible via an API?
* Or by someone stealing my HTTP cookies (Not sure how that can be used though)
Any ideas anyone?
Update 10/1/2011:
1) It actually seems as though, my gmail/google account was compromised, as when i logged into gmail today I was shows an alert saying that unusual activity was detected on my account, and clicking on it opened a pop up that showed me these details. (You can also access this by clicking on the 'Last account activity' link at the bottom of your gmail page)
2) I also notified the Blogger team via their Twitter account about the XSS vulnerability and got a reply this morning saying that the issue has been escalated to the core Blogger team.
2) I also notified the Blogger team via their Twitter account about the XSS vulnerability and got a reply this morning saying that the issue has been escalated to the core Blogger team.
No comments:
Post a Comment