Thursday, January 08, 2009

Hacking JS-Kit reviews widget

I just installed the JS-Kit reviews system on my blog below. I was amazed to find the following security holes:

1) no CAPTCHA protection on posts. This means you can flood the reviews with bogus reviews and spam. Want to bring down the reviews system? Just write a 4-line script to execute this URL in a loop:
http://js-kit.com/comment.put?ref=http://notskateboarding.blogspot.com%2F&permalink=http%3A%2F%2Fmysite.com%2Fpermanent%2Flink%2Fto%2Fpage.html&rvy=1&js-CmtName=reviewer04&js-CmtCity=san%20franciso%2C%20USA&js-CmtEmail=geoff.hendrey%40gmail.com&js-Cmtsubmit=Submit%20review&js-CmtsubmitOrig=Submit%20review&js-CmtsubmitReply=Submit%20comment&js-Cmtcancel=Cancel&js-CmtText=BBBBBBBBBBBBBBBBBBBBBBBBBBB&js-CmtRating=8&tid=jst-1

2) Email span the person who posted a comment you don't like! This one is really amazing! Want to send someone 1000 emails anonymously? Same technique as above, just make it a comment instead of a posting, and the person who made the original posting gets 1000 emails!

2 comments:

  1. Hi Geoffrey - Chris here from JS-Kit.

    The reviews product is based on very old code and is due for a major overhaul. Thanks so much for identifying these problems, I will get our engineers to look at them as a matter of priority.

    If you have any other ideas or feedback re: our products, please do not hesitate to contact me (chris@js-kit.com) and we will be happy to get it sorted out for you!

    Cheers,

    Chris

    ReplyDelete
  2. Hi Geoffrey, I am Lev Walkin from JS-Kit.

    1. No CAPTCHA protection on posts: We are using Akismet for automatic anti-spam protection. We don't need to burden our users with something as user-unfriendly as captcha. Our system catches misuse of our comments code and quickly refuses to send more than a handful of messages per period of time.

    2. Same thing with emails.

    3. By the way, Blogger CAPTCHA didn't work while I was trying to leave this message as Anonymous. Was displaying a broken image and returning 404. So much for CAPTCHA. Had to revert to using OpenID.

    Thank you for being alert to security issues though!

    ReplyDelete