Security Information Vulnerability Research Security Blog

Project for the bored (lesson from a hacked forum)

January 8th, 2006 by , Filed under: Corporate Security, Web

Hello guys and gals, this is my first post here so be gentle.

I’m giving all the bored programmers out there a project here, I’ll just be giving some background first, please bear with me.

I’m a moderator on a fairly large forum, critical security. Like most other forums of that size there’s always someone trying to hack us. Well… one user did find a new flaw in IPB (which has been reported BTW) in the PMing system. Essentially this allowed him to run JavaScript when the recipient reads the PM. He sent me a PM with JavaScript which sends my session ID off to a remote page. He also had it alert the text “hacked”, which told me immediately what he’d done. I quickly changed me password and logged out. It was too late, he was in as me and there was nothing I could do.

Since he now had moderator rights he could warn people he disliked, remove topics and generally cause mayhem. At the same time I was desperately trying to wake the admins up to get them to at least suspend my account. Eventually it was all sorted of course, but it did leave me thinking.

Users should be able to suspend their own account for up to 24 hours so that if this happens they are able to stop it themselves. A plug in like this would be perfect for forums of all kinds but it could also be made for blogs, CMSes etc.

My idea was as follows: There’s a page with a form that asks for a username and password, along with one of those random pictures that prevents automated submitting of the form. The user would enter their log in details of the forum into the form and submit the form, they’d then get to choose how long to suspend their account for anywhere from 2-24 hours. They get a confirmation email where they could finalise the issue.

This would of course have to have safeguards, for instance only allowing 3 wrong username/password attempts per day per IP and something to prevent successive suspensions.

Now, as Maddox would have said; Why are programming visualisations when you could be making this? Who wants to watch their music?

Share

  • Pingback: WhiteAcid’s Scribblings » I’m posting on securiteam.com

  • sunshine

    Hi Sid! Welcome to the team!

    I have a small question:
    Although in some cases like the one you describe such a system could be critical in the moment of truth…

    Can’t the guy just hack another account if there is another admin, or do the same 24 hours later?

    I guess it’s a stop-gap. If it can be a secure system.

  • http://www.whiteacid.org WhiteAcid

    Thanks, and good questions.

    He’d have to fool another moderator into reading his PMs, I suppose it’d be up to the attacked moderator to inform the other mods to disable JavaScript before reading any PMs (which I now do).
    As to doing the same thing again later, the attacked moderator would inform the admin who could ban the user and fix the hole.

    It’s of course not a magical cure, but it does prevent immediate ruin of the forums. At least backups could be made before things get any worse.

  • http://two3.dajoob.com/ digi7al64

    I like the suspend account idea, but… as it can be used to stop the hacker it can also be used to stop admin/mods/staff from accessing the site as well. Therefore you could quite possibly get a situation where no one can stop the offender, their posts and any other actions they may take due to their accounts being suspended prior to the attack.

    Also since the first thing done on a hijacked account is to remove the true users password and reset with your own how could you overcome this problem when seeking to submit a suspend account command?

    In the end though as you have pointed out turning off javascript will stop (some) of these attacks but unfornately it can not stop all of them. The real solution therefore is with the development teams of these systems and they ways in which they detect and remove malicious code.

  • http://www.BeyondSecurity.com aviram

    I would have thought ‘logout’ would do the trick – if you changed your password, a simple ‘logout’ should force the attacker to enter the new password. Perhaps in this case the logout was only client-side, which is the real problem?

    I guess what I’m trying to say is that your ‘suspend my account’ idea should be doable with a ‘change my password and logout’ button.
    Another comment that came to mind is that you are a special case of someone who is willing to give up access to his account for the sake of security – unfortunately, I doubt there are many more like you out there ;-)

  • Roland Dobbins

    Full feeds, please?

    Thanks!

  • http://two3.dajoob.com/ digi7al64

    Aviram – The general scenario for an attack from the hackers perspective is

    1. Get valid account information without being detected.
    2. Access the account and reset the password to your own.
    3. Logout >> Login
    4. The true account owners login credentials are now invalid.

    Therefore if your password is changed you essentially are frozen out of the account. Also the logout situation you are talking about is only valid for server-side session variables which are killed on logout. For cookie based authenication systems (such as IPB which WhiteAcid was talking about) logging out is useless as a means of stopping a hacker.

  • http://www.whiteacid.org WhiteAcid

    Yeah, I thought logging out would have helped, but it hadn’t for reasons now made clear.

    The attacker wouldn’t be able to change the password as to do that you need the current password, which they don’t have.
    I think most users who are some elevated postition in a forum are responsible enough to realise that giving up your account for a while for security is a positivive thing.

  • lamer

    What a lame forum that is. On every normal forum you need to enter old password to change it. On some forums with even beter security, you need to revalidate your acc afterwards

  • http://www.BeyondSecurity.com aviram

    Roland – your wish is our command. Full feeds it is.

  • http://Nonya Nehmanator333

    Why didn’t you simply delete your account, so he could not use your account?

  • Share







  • Categories


Security RSS Subscribe