This white hat found XSS vulnerabilities in a lot of high-profile websites

Feb 11, 2012 15:51 GMT  ·  By

This week’s episode of Hackers around the world features the first white hat hacker to take part in our series. Up until now, we’ve only talked to black hats and gray hats, so we’ve decided to take a look at what a white hat has to say about vulnerabilities, hacktivist movements and life in general.

Ucha Gobejishvili, also known as Longrifle0x, from Georgia, is a Vulnerability Lab researcher that recently uncovered some pretty impressive flaws in websites such as Apple, NASA, ESA, Java.com, Nero.com, Google, Forbes, MySpace, MTV, Ferrari and even some US government sites.

Softpedia: Thanks to your latest findings you have become a respected white hat, maybe even among the best. Have you ever considered yourself a grey hat or a black hat, or you knew right from the start that you want to be on the good side of computer security?

longrifle0x: Good question! I think I am a White/Grey Hat and I am personally not connected to the black hat scene. I have a lot of friends on this scene but I am working on the white part of it as you can see in the news.

My decision to work on the white side of life is a perspective for the future, but sometimes I have a grey influence.

I think I am a respected and maybe an advanced/good researcher, but I do not think I am one of the best. I will try to get more respect and assistance because I will publish other software or service product issues in the future.

Softpedia: What is the significance of the name "longrifle0x"?

longrifle0x: The name is split into 3 words ... long rifle 0x! I think I do not need to comment on this name. It is as it is.

Softpedia: How old are you now and at what age did you start "playing" with computers? At what age did you start taking the security business more seriously?

longrifle0x: I started learning about computers and hardware at 12 and now I am 19 years old. I began working in the field of security about 4 years ago.

Four years ago, my country had some problems because of a Russian web attacker; I’m referring to the 2008 August occupation. I wanted to protect my country’s web-servers after this incident so I started getting deeper into the security & exploitation scene.

Softpedia: I know you are among the people that contribute with their findings to the Vulnerability Lab. How did you end up working there?

longrifle0x: I looked around at the content of the Vulnerability-Lab about 1 year ago. To me, it is the only program I want to join because I do not wish to sell my issues to the government for any bounty.

The Laboratory is working on an independent level that grants the researcher a 100% payout of the vendor 0-day issues. All the material stored inside the Laboratory is exclusive and it’s not stuff you can find on the mirrors of 1337day, packetstorm, exp-hub or exploit-db.

I like the team and I like the idea behind it. That's maybe one of the reasons why people decided to let me join the internal research/lab team.

Softpedia: Tell us more about your work prior to joining the Vulnerability Lab team.

longrifle0x: A year ago, I searched for a good and well-known group to sometimes discover an issue on public news sites like Forbes or MySpace.

At first, my statistics were really bad on exploitation or publication, and I would release about one issue per month.

After I joined the Lab with a new account in December 2011, I have discovered the following remote vulnerabilities:

2012-02-01 Sun Microsystems (Print) - Cross Site Scripting Vulnerability Remote 2012-01-28 Oracle Solution Website - Cross Site Scripting Vulnerabilities Remote 2012-01-26 Google BugBounty#9 - Cross Site Scripting Vulnerability Remote 2012-01-24 Opera Website - Cross Site Scripting Vulnerability Remote 2012-01-22 Parallels H Sphere v3.3 P1 - Multiple Persistent Vulnerabilities Remote 2012-01-13 Tine v2.0 Maischa - Cross Site Scripting Vulnerability Remote 2011-12-23 Facebook Global Football - SQL Injection Vulnerability Remote 2011-12-22 Gwibber v2.29.1 & v3.x - Persistent Software Vulnerability Remote 2011-12-22 Yahoo Babelfish Service - Cross Site Scripting Vulnerability Remote 2011-12-21 Facebook JuniorsCheesecakeFoxwoods - SQL Vulnerability Remote 2011-12-20 FBC Market v1.1 - Cross Site Scripting Vulnerability Remote 2011-12-18 Facebook Fit-ify! - SQL Injection Vulnerability Remote 2011-12-14 Facebook FitnessGrade - SQL Injection Vulnerability Remote 2011-12-05 Facebook Chartity (TAG) - SQL Injection Vulnerability Remote

Now I am happy with my work and shared experience about it - security or vulnerability research. I hope I can top my statistics with better issues in the future. When I review the last publications, I consider them a good startup.

Softpedia: You have found a lot of vulnerabilities in important websites. What was the vulnerability you found that you are most proud of? Is there one that stands out?

longrifle0x: One of the most interesting issues was the Apple shop vulnerability. It was reported to Apple and they fixed it by shutting the shop down for 1-2 hours.

It has a great effect on customers and vendors if a shop needs to shut down its infrastructure for a medium (+) severity issue patch. I think I am a bit proud to have reported this issue because it protected the end-user and vendor.

Softpedia: I saw you posted many XSS vulnerabilities on XSSed.com. What do you think about the fact that most websites still contain the flaws you pointed out? Do you think they're irresponsible for leaving their visitors exposed?

longrifle0x: I think that the vendors mostly do not know how easily exploitable a cross-site scripting issue is. For example, Apple understands the problem and shuts down the shop for 1-2 hours to update the issue trying to prevent attacks against its customers.

Most people do not understand the problem, which is a big mistake from my perspective. My main website is Vulnerability-Labs, but I sometimes drop issues to mirror websites after the publication is in progress.

I think it’s OK that they know about the research I did and I hope they will soon recognize it directly.

Softpedia: What is your opinion on the work of hacktivists like Anonymous and such?

longrifle0x: Do not work with or against Anonymous or other activist groups. I also do not define myself with H/Activist groups because for me it is just like all the other illegal working groups.

They are not protecting the end user and not protecting the vendor, and this is something I can personally not accept as a researcher. They inform us as end users with compromised information, but I would not exchange private information for transparency against my right to not get my passwords listed in plain-text.

It’s like an invasion of the real exploiter/hacker scene that people like them try to get our tricks to follow their criminal ideology. The same happened in 2003-2009 with the carder scene that tried to get more influence on the hacking/exploit market to obtain more information for themselves.

I think a big problem in this case is also the press & daily news because they forward the information on specific groups to give them more influence. When the publication of news about this specific group is stopped, they will go down and get busted within the next half year, or become very insignificant.

At the end, these people will bring us more private observation than censorship or transparency freedom.

Softpedia: What do you do in your spare time, besides dealing with computer security related activities? What are your hobbies?

longrifle0x: Two of my favorite hobbies are Network/Server Administration with Linux and cooking food, like my Georgian special 1337 lasagna.