Feb 21, 2011 10:21 GMT  ·  By

Researchers from security vendor M86 Security have identified a serious cross-site scripting (XSS) vulnerability in the RapidShare.com website which allowed attackers to potentially scam users.

RapidShare is one of the largest file hosting providers on the Internet and with hundreds of millions of monthly visitors it is among the world's top 50 websites by traffic.

Like any popular free service, RapidShare is constantly being abused by cybercriminals to host malware or copyrighted content.

M86 security experts had the idea of testing a RapidShare error page saying the servers were too busy and found a serious XSS weakness.

"We decided to test the error message and found that there is an improper input validation vulnerability in the 'downloaderror' field," M86 security researcher Yaniv Miron writes.

"We can control all of the 'downloaderror' fields. For example, the file folder (623624), the file name (test.avi), and of course the error message," he explains.

This is a DOM-based cross-site scripting attack that relies on the victim opening a specially crafted URL and is invisible to the server because the malicious link contains the # fragmenting character before the payload.

Attackers could send fake emails with a link to an allegedly interesting file, for example, something like "WikiLeaks releases video of American soldiers shooting innocent civilians in Iraq. Download here: http://rapidshare.com/files/[file_id]/[file_name].avi"

In reality, the link would point to a specially crafted rapidshare.com URL which, when opened in the browser, would display an error page with a message reading:  "Too many users downloading from the server right now. Get a 80% discount coupon for a Pro Account by sending a free SMS to [premium rate number]. Limited offer."

In this case, people interested in getting a Pro account for a low price would send what they believe to be a free SMS - but which actually isn't - to a special number set up by the scammer.

Fortunately, this vulnerability was not found by cybercriminals, but by researchers who responsibly reported it to RapidShare. The issue has since been resolved, but the incident serves as a good example of how a simple input validation flaw on a popular website can be exploited for financial gain.