The Turkey Curse
fukamis terror chatroom

Finding friends on teh intarweb, Part 1

Pungenday, 23rd Chaos, 3172.

Geeks like me are often ugly, lonely as well as somehow mentally and socially disrupted. Luckily there are a bunch of social services out there which are very helpful to get around that problem. But to get on the list of people can be very cumbersome: you need to chat or even meet someone IRL i.e. at conferences, bars and stuff. So the main question is how that can work without any user interaction from the other side, injecting AJAX, using SQL injections or uberl33t exploits. In some cases the answer can be _very very_ simple, so simple that it’s not even real funny.

First of all you need to have a service which performs the interessting parts via HTTP GET requests. One example is Plazes, a quite popular geo location service. To add a person as a friend at Plazes the requests looks like *[hash_of_user_name]*.

Second you need to trigger this script with credentials of the person who should add you as his/her friend. For this it’s handy to have a blog, a website, a feed or something like that and include for example an image tag, but instead of using a real image, use the URI for the trigger. Since the browser doesn’t know if the request points to a picture or another ressource, it just calls the URI and performs the script for that user without his knowledge. If the user hasn’t logged off the service properly (which is the case very often) the request will be successful, even he’s not actually logged in (well, he is from the applications point of view). Most of you propably already recognized that this simple and well known technique often called CSRF (for Cross Site Request Forgeries).

I recognized a very interesting and neat detail: All users I got an my list are Mac users, and all of them are using NetNewsWire as their preferred feed reader. So NNW, as an application which is based on WebCore, shares the cookie file located under _/Users/username/Library/Cookies/Cookies.plist_ with Safari, which opens a bunch of highly entertaining possibillities.

So if you like to try that at home, hurry up. I guess they’ll change it soon and use a unique token as an extension which will make it a bit more difficult for you to get the friends you are looking for. But even if this doesn’t work any longer, there are much more services out there which are sometimes even worse …



Just to make it clear: My intention was not to show how to exploit plazes or to blame them. It was just an example on a general issue, not more, not less.



  1. Cross Side Request Forgeries (CSRF) - Problem bei Plazes

    Ja, auch bei mir ist fukami nun ein Freund bei Plazes, obowhl ich mich dort schon länger nicht mehr eingeloggt, geschweige denn “Freundschaften” geschlossen habe. Schuld daran ist ein sogenanntes CSRF-Problem, dass nicht nur Plazes betrifft, aber do…

    Trackback by The blog that never sleeps — Pungenday, 23rd Chaos, 3172. @ 57988

  2. […] Hmm, wenn fukami damit recht hat, stinkt plazes ja wirklich.. Damit ich meinem Ruf als komischer Nerd der jeden zweiten Trend erstmal nachmachen muss, teste ich das hier auch gleich. :-) - auf jeden Fall bin ich durch die Rumexperimentiererei schon mal “mein eigener Freund”. Oh mann, arm. […]

    Pingback by fh » Blog Archive » Ausprobieren — Pungenday, 23rd Chaos, 3172. @ 75416

  3. So, die CSRF- und XSS-Probleme sollten jetzt gefixt sein. Wenn Euch was neues auffällt: bitte melden. Thanks!

    Comment by stefan — Sweetmorn, 26th Chaos, 3172. @ 64793

  4. […] Der Bug, den fukami gefunden hat, und ich dann gleich mal nachmachen musste, ist nun wohl behoben. Stefan vom Plazes-Team hat das auch hier im Blog mitgeteilt. Aber hey, Stefan, dass du wirklich glaubst, dass Wordpress so was billiges durchgehen lässt, enttäuscht mich schon etwas. […]

    Pingback by fh » Blog Archive » Plazes und das XSS — Sweetmorn, 26th Chaos, 3172. @ 65456

RSS feed for comments on this post. | TrackBack URI

Leave a comment

"The great tragedy of Science - the slaying of a beautiful hypothesis by an ugly fact." - Thomas H. Huxley

The Turkey Curse is powered by WordPress, template idea by Priss

Entries (RSS) and Comments (RSS).
Generated in 0.041 seconds.