Friday, March 7, 2008

'Ninja' hacks Prosper

According to GhettoWebmaster.com, Prosper's listing feature is open to XSS attacks and other hacks. GettoWebmaster demonstrated the potential by changing the background color of his own humorous borrower listing: Ninjas need funding for anti-pirate propaganda campaign.


According to a message he sent to Prosper, "Your member profile and listing pages are likely open to cross site scripting (XSS) attacks and other hacks at the moment. You can take a look at my profile and current listing to see that I did some light CSS tweaking to customize those pages. I didn’t test any potentially malicious stuff since this is a financial site."

Previously GettoWebmaster found vulnerabilities in the popular HotOrNot dating site. At that time he reported the vulnerabilities on HotOrNot could:

  1. Auto-redirect all visitors to my profile to the url of my choosing.
  2. Render the entire page blank.
  3. Replace the entire profile with an image of the profile which was linked to the url of my choosing. etc, etc, etc…

When borrowers create a new listing they have the option to edit the source html of the loan description as shown below. This is where the vulnerabilities were apparently introduced.


A discussion about the ninja listing can be found on the prospsers.org forums. It looks like Prosper needs that new software engineer ASAP.

No comments: