Acest articol este scris atat in limba romana cat si in engleza.

Rude.com is an online adult community with a large number of members. Its pretty heavy and stuffed with alot of features in their desire to unite several adult services into one large site. Such features as porn videos, amateur videos, amateur live cams, private cams, social network, xxx games etc., seem to manage to attract some attention to it.

Yet, visiting rude.com can be a hazard for you. Why?

You can insert javascript in any comments box of each profile. I dont mean inserting the script in your own profile but the possibility to do this with ALL the profiles on the website.

The method is extremely simple. With your comment, add <img src=”" onerror=”evil javascript code”>, which gets executed everytime someone sees that profile. Example: <img src=”" onerror=”alert(1)”>.

This vulnerability is extremely dangerous for rude.com users especailly when we know there are payed services on the website. Wouldn’t want to be one of their paying members.

Suppose you are a paying client and want to see a live xxx show. You buy some chips (credit) and while you do that, your session cookie gets stolen. Next thing you know, your credit is being used by someone else. And here you are faced with two options:

1. You dont notice that and you dont take any counter measure.

2. You notice and make a chargeback and the model and the website loses their money. Your credit score is affected, the website gets a bad reputation and the model is left with no money.

Of course this kind of vulnerability can be used for phishing, generate traffic on other websites or to hide some XSS attacks targeting other websites (yahoo, gmail, ebay, paypal etc.).

The possiblity to insert an XSS worm is extremely simple and the owners of this website know about this isue for over a year and still, nobody seems to bother.

Rude.com este o comunitate adult cu un numar mare de membri. Este un site stufos ce si-a dorit sa uneasca mai multe servicii gen porn videos, amateur videos, amateur live cams, private cams, social network, xxx games etc., complexitatea acestuia facandu-l destul de cunoscut in US.

Si totusi este un adevarat pericol sa vizitezi acest site. De ce?

In rubrica comments a fiecarui profil se poate insera javascript. Nu, nu ma refer doar la inserarea scripturilor in propriul profil, ci la posibilitatea de a face acest lucru in TOATE profilele existente pe acest site.

Metoda este extrem de simpla. In spatiul de comentarii se  adauga <img src=”" onerror=”evil javascript code”>, iar la vizualizarea profilului acest cod se executa. Exemplu: <img src=”" onerror=”alert(1)”>.

Aceasta vulnerabilitate este extrem de periculoasa pentru userii rude.com mai ales ca exista servicii platite ce pot provoca gauri in bugetul utilizatorilor.

Sa luam ca exemplu un client al showurilor private. Omul isi cumpara chips-uri (credit), i se fura cookies si i se foloseste contul. Aici exista doua posibilitati:

1. Clientul nu ia nicio masura sau poate nu observa disparitia creditului din cont.

2. Clientul observa, face chargeback, iar modelul care a beneficiat de show-ul privat cu “atacatorul” nu isi primeste banii. Credit score-ul clientului are de suferit, imaginea site-ului are de suferit, modelul nu isi primeste banii.

Desigur ca acest tip de vulnerabilitate poate fi folosit la phishing, generarea traficului pe alte site-uri sau pentru ascunderea unor atacuri xss asupra unor alte servicii web (yahoo, gmail, ebay, paypal etc.).

Posibilitatea de a implementa un xss worm este extrem de facila.

Proprietarii rude.com stiu de peste un an de zile de aceasta problema dar dupa cum se poate observa nimeni nu a facut nimic.

NOTA: accesarea site-ului din Romania se poate face doar cu ajutorul unui ip extern. Toate ip-urile romanesti sunt banate si vizitatorii din aceasta tara sunt redirectionati automat catre alt site.

Related Posts

• February 8, 2009 -- XSS Ownage – hi5 vs. Yahoo! + video
• January 28, 2009 -- filefront.com, permanent XSS + virus propagat prin el
• January 22, 2009 -- Yahoo! again – XSS
• December 8, 2008 -- Yahoo.com SQL Injection, XSS [se intampla si la case mari]
• November 13, 2008 -- XSS in Wordpress.com si Wordpress MU