Skitch.com, security alert? Alert the team

Posted by David in echolibre, industry, security
Tuesday, December 9th, 2008 at 10:39

About two weeks ago I was uploading something to skitch.com and saw an inline button. So being a security person myself, I decided to try some XSS on their fields. 1, 2, 3, 4 tries done, I was able to load some of my javascript from a remote host and the nice thing is that this was a public URL. So for fun I sent the URL to a few friends. What that script was really doing was taking their cookies, writing to a file on my server and sending them back to the main page of skitch. So basically what people told me was that the link didn’t work, they were sent to the main page. In the meantime I was finishing my PoC by editing my cookie with their cookies. After about 10 minutes I had changed their first name and last name.

Ok this is a trivial remote code injection / theft and sensitive data access/loss attack, but what I wanted to say in this post is the speed of answer and resolution from the skitch team. After putting a nice little security audit/report and sending it to them, I got an answer from them about an hour later saying thanks for all this and they had fixed the problem. They even thanked me for telling them and said, I quote:

As a security precaution, we have also changed our “masterkey”
that is the basis of all session-id-generation and keys for
automated logins, as well as invalidated all existing sessions
to make sure no user already compromised by such an exploit
are compromised for future logins.

As we’re constantly fighting against XSS-attacks, being a site
driven by user content, humble humans still fail at times, and
we would love and welcome any future bugreports you might be
able to come up with revealing similiar problems in our code!

Fairplay to Skitch.com and it’s team. This is very responsive, open minded and nice at the same time. Well done

You can leave a response, or trackback from your own site.

Comments (4 Responses)