Saturday, March 8, 2008

Hacker: Prosper security 'above average'

The hacker who exploited cross-site scripting (XSS) vulnerabilities on Prosper called their security "above average" in a post on prospers.org. Although their security is better than most financial sites, the XSS vulnerability is significant and could allow a site visitor to download unexpected images with malicious code among other things he said.

One Prosper lender showed he was able to change the displayed credit grade and DTI ratio of a borrower listing by introducing a style sheet in the listing description.

In other cases, XSS vulnerabilities have been used to:

  • allow an attacker to run code on a user's machine without their knowledge after visiting the infected page
  • trick the user into sending their username and password to the attacker by altering the original webpage
  • allow the attacker to steal the user's cookie which could enable the attacker to login as the user

According to Prosper, "there are no known cases of hackers exploiting these vulnerabilities to date." Prosper will release a patch this weekend to fix the vulnerability.

No comments: