Web Application Security Consortium - Web hacking Incidents Database (WHID)

Date: 02 November 2007
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality

While most WHID entries are about web site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them to include a honest looking URL in their e-mail, this way bypassing spam filters and observant users.

Symantec response team found actively used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to the first result of a search. All the spammer is left with is finding a query for which his site would pop up first on Google.

This method has another advantage over a redirection page, as the final target is specified by a search string and not by a URL, bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.

References:

Google's Advanced Search Operators Abused by Spammers [Symantec Response Team]

WHID 2007-26: $1,000,000 CNBC stock trading contest hacked

Date: 11 June 2007
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality, Insufficient Anti-automation, Insufficient Session Expiration

The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.

The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.

This story remind an older story about a predictable delay in a poker game that enabled gamblers to beat the house.

References:

$1,000,000 CNBC stock trading contest hacked [ Jeremiah Grossman]

CNBC's Easy Money [Business Week]

WHID 2006-41: Making money with MySpace bulletin system!

Date: 16 June 2006
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality, Cross-site Scripting

A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.

References:

Making money with Myspace bulletin system! []

WHID 2005-51: Critical MySpace Vulnerabilities Leave Every Active Account Exploitable

Date: 05 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Abuse of Functionality, Cross-site Scripting

An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.

References:

Critical Myspace Vulnerabilities Leave Every Active Account Exploitable [Silent Productions]

WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino

Date: 29 August 2005
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality

A player of an online game discovered that considerable delay hinted on the cards the dealer holds.

References:

Online Games Are Written By Humans [Personal ]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.