14 DAY TRIAL // Security expert Junaid Hussain, aka TriCk of TeaMp0isoN, has identified several vulnerabilities on Keek.com, a relatively new social networking service that allows users to upload video status updates via their webcams or the Keek mobile apps.
Cross-site scripting (XSS) vulnerabilities have been identified in the Block User and Report User features, and on the Terms of Use webpage.
In addition, according to the expert, the Terms of Use page is also plagued by a URL redirection vulnerability.
A couple of Cross-Site Request Forgery (CSRF) issues have also been uncovered. One of them is a Logout CSRF, and the other affects the “change user email address” section of the site.
The second CSRF vulnerability can be exploited by an attacker to “change a user’s email address which could then lead to an attacker performing a ‘forgot password’ operation to gain access to a user’s keek.com account.”
The expert, who is the founder of the illSecure.com platform, says he has reported his findings to the company around one week ago, but received no response. He believes they might patch the issues silently.
“They obviously have to patch them. The email CSRF is a high risk vulnerability. Attackers can hijack any account with that exploit,” Hussain said via Twitter.
I've sent an email to Keek to see if they have anything to say about the issue.
Update. Hussain says Keek has silently fixed the security holes he discovered. Since they have been fixed, here are some technical details.