14 DAY TRIAL // Last week, members of TeamHav0k found a serious cross-site scripting (XSS) vulnerability in Songfacts, the popular site that offers music lovers tons of information on songs and artists ever since 1999. The hackers provided us with a proof-of-concept and we’ve forwarded the information to Songfacts, which quickly acted on securing the site.
TeamHav0k, the grey hat hacker collective that’s famous for finding a large number of vulnerabilities in websites that belong to NASA, Sony, Yale, Google, and government organizations worldwide, recently proved that they really want to lend a hand to site administrators when it comes to securing sites.
We’ve had the opportunity to intermediate the disclosure of the vulnerability to Songfacts, which acted responsibly to ensure that their customers would be safe while surfing the site.
“This is what we do, we are grey hat. Those who deserve to not be exploited are helped, but if it is a corrupt government or corporation, we’re taking a whole new ball game for them,” the hackers said.
The grey hats discovered that the search feature on Songfacts didn’t filter strings, allowing potential cybercriminals to launch malicious operations against the site’s customers.
“We took your alert seriously, and audited our code. The philosophy of our developer: We must always be cautious of the GET variables being delivered by the search form process,” Carl Wiser, a Songfacts representative, told us.
“Scrubbing user-supplied data prior to use is a must. Never trust user-supplied data, including that which is sent in the REQUEST_URI and any associated QUERY_STRING.”
After the site’s developer addressed the issue, TeamHav0k had another crack at it and concluded that the XSS vulnerability was no longer present. They also provided a great explanation on the dangers of XSS flaws, even if they’re non-persistent.
“Most people don't see XSS as a dangerous vulnerability unless it is a persistent one. Well, I would just like to inform those who think this: you are wrong,” the hackers said.
“If the attacker has the proper knowledge of XSS and has some Social Engineering skills he/she can then send a non-persistent pay-load to a victim which from there the attack can open up a backdoor on the victims computer taking complete control, total OS compromise.”
They explain that this can be accomplished simply by taking advantage of a few open-source tools.
“XSSF or Cross Site Scripting Framework can be utilized with MSF or Metasploit Framework in order to open up a meterpreter shell to the victim, as well as steal cookies among other nasty things.”
Grey hat hackers often say that they are forced to resort to data leaks and defacements to attract the attention of websites administrators on the existence of dangerous vulnerabilities, but this situation clearly proves that it doesn't always have to be so.
Even though this doesn’t necessarily mean that the website is now 100% secure, it proves that hackers can collaborate well with site admins, and it also shows that there are security conscious site owners that really do care for their customers’ wellbeing.
“The user experience is very important to us on Songfacts - no pop-ups, takeovers or other annoying forms of advertising. And while we spend lots of time interviewing songwriters and telling the stories behind the songs, we also must ensure that our readers are protected,” Wiser added.
“Security has gotten much more complex since we launched in 1999 using the Lasso data engine to display the song information from our Xserve (we did everything on Macs). Back then, the battle was getting pages to load on Netscape browsers connected to dial-up modems.”
We applaud the efforts of both TeamHav0k and Songfacts for showing that even though “security is just an illusion,” it can always be improved to make the Internet a safer place.