14 DAY TRIAL // Security researchers have identified a couple of persistent cross-site scripting (XSS) vulnerabilities on TopCoder.com, a community of over 425,000 software developers, digital designers and algorithmists.
Shadab Siddiqui and Anshul Rohira have identified vulnerabilities on a couple of topcoder.com subdomains.
“XSS is not a big deal, or is it? On many occasions, I’ve seen this vulnerability being classified as useless, not serious, and being a low threat. What I’ve always had in mind is that it’s only the capabilities of the browser, and the hacker’s mind which set the limit for an XSS attack,” Siddiqui told Softpedia via email.
“It may seem impossible to do anything else other than stealing sessions, cookies and performing phishing, client side defacements etc. But that is not always the case. In such a big website like TopCoder, I can make them accept challenges they don’t want to play, and challenge others' code without them being challenging.
“All this with the motive of lowering their ranking, which is crucial. Apart from that, there can be much harm done to their server and participants, as all their matches are played in Java applet so I can target programmers with a Java 0-day exploit and then ‘bang, bang!’,” he concluded.
Siddiqui and Rohira reported the security holes to TopCoder some time ago, but so far the company’s representatives have not responded to their inquiry.
In a separate analysis of the website, security researcher Prakhar Prasad has identified the same issues. He also claimed to have informed the site’s webmasters of the problems, but his notifications also fell on deaf ears.
“Big websites aren't taking XSS issues seriously but it can ruin the website's reputation and security a lot, the same way a server-side vulnerability can do. As an example, I want to point the incident where hackers gained root access on the Apache website by initially exploiting an XSS issue,” Prakhar told us.
Update. Shortly after the article was published, TopCoder representatives contacted Shadab Siddiqui and told him that the vulnerabilities have been addressed. They thanked him for reporting the issues.
