I accidentally found a way to become any user on Squidoo. Here is what happened.
I was new to Squidoo and had just created my account and my first lens. A lens is how Squidoo calls the pages that users make, in their FAQ they describe it like this: "It's an easy-to-build, single web page that can point to blogs, favorite links, RSS feeds, Flickr photos, Google maps, eBay auctions, CafePress designs, Amazon books or music, and more." My lens was an experiment to evaluate Squidoo for a project that I was working on, and I certainly wasn't expecting to find a gaping security hole!
After creating my account I had received a mail from Squidoo, in order to verify my e-mail and activate my account. That all worked (and I wasn't paying attention very much to this process as it is so common). Later I had an evening in town with some friends and after returning home, I wanted to make a quick update to my new lens before going to bed. But when I tried to log in, I was denied access and got the message that my account was still not confirmed. Weird, I was sure I had already confirmed my account. But a link allowed me to resend the confirmation e-mail. So I did that.
What they sent me was this link:
http://www.squidoo.com/member/confirmation/ottodv
I clicked on it and was logged in.
But then I started to think, how come that I am logged in?
I did type in my userid and password just before receiving this mail so
maybe that in combination with following the confirmation link is what
did it? But I did not type it in again after following that link!
That got me thinking.
As you can see in the link, the last part (ottodv) is my userid. So I decided to do a simple check. From the Squidoo homepage I randomly chose a lens and noted the userid of that lensmaster. Then I replaced my userid with that of the other lensmaster in the confirmation link... Surprise! Without supplying any password I was logged in as the other lensmaster and I could edit his lenses (at least I could enter edit mode).
Then of course, came the dilemma. I am not going to vandalize someone else's work, but still want to check how far I can actually go. Thankfully I then thought of my friend Ken, he was the one who had suggested Squidoo to me and of course he had a lens. I know him well I and knew he wouldn't mind if I made a small edit to his lens. So I looked up his userid and using that in my URL I became Ken on Squidoo. I edited one of his lenses by adding three exclamation marks to his lens. Then I mailed him that I had "hacked" his lens, he replied that he was very impressed.
Ok proof enough. I had to do something now to get the problem fixed. This method was so easy and could be discovered by anyone else at any moment, presuming other new users would receive these "confirmation" e-mails as well. It was therefore vital that it got fixed quickly. I initially reported the problem via the "bugs & feeback" feature on the Squidoo website, but 11 hours after I made that report it was not yet picked up. So I decided to make it public and hopefully attract some attention from Squidoo staff or someone who could get the attention of Squidoo staff. However I had to prove my claim in such a way as not to risk revealing how I did it (even trying to avoid anything that could be used as a clue).
So I made a webpage with some screenshots and posted a story on Digg (which incidentally failed miserably). I later found that Squidoo actually had a forum too and then I posted it there too. This is what I wrote (including a few additions I made later):
After a night out with friends in Tallinn, I logged on to Squidoo to edit a lens about Firefox I had just created, it was my first lens, and just an attempt to see how things worked. Then something struck me and on 2007-02-03 around 05:00 Estonian Time (03:00 GMT) I found a way to become any user on Squidoo.
At 05:53 I sent a message to Squidoo, via their website interface with the title "I can log in as anybody on SQUIDOO!!! URGENT". I explained to them how I managed to do it. Then I went to bed. After I woke up I found that the issue had not been resolved. I guess they are not reading their e-mail. Unfortunately there is a risk of other people finding this and the potential for damage is huge. So the problem must be addressed quickly, but there is no other way to contact them directly known to me. The only alternative I can think of to get their attention is to make this information public but without explaining how it works. So 11 hours after I reported it to Squidoo, I decided to make this page and post it on Digg. And on 2007-02-04 at 12:47 Estonian Time I also posted it on the Squidu Forum.
Because of the risk of abuse of this exploit, I will not publish any details on how I managed to do this until after Squidoo has resolved the issue. Instead, in order to prove my claim, people with a Squidoo lens can mail me and ask me to add a short text to their Lens. This is how it will work.
- Edit your lens, and add the test "Hack me Samy" anywhere in the top portion of your page. This proves to me that you gave me permission to edit your lens and that it actually belongs to you. (unless of course you hacked it).
- Add the URL of your lens to the Digg story, the Squidu forum or mail it to me. To otto2003(at)de-voogd(dot)com.
- I will add the text "Samy is my hero again" after that line.
- Please leave the change so I can add the URL to the list below as proof.
p.s. "Samy is my hero again" is a tribute to Samy's MySpace exploit.
Only one person, Marco Casteleijn gave me permission to hack his lens:
Of course my text, was somewhat misleading, I found this exploit because I couldn't log on to Squidoo in the first place and needed to reconfirm my account. But I couldn't say that as it would have provided a clue. This way at least anyone who tried to look for my exploit, would be misled into thinking that they had to be logged in first.
I added the following screenshots to the page, well, yeah, I know things can be photoshopped easily (though not by me), but still it could give my story a bit more credibility. So I added them but not before I covered up text that could have been used as a clue. Also the screenshots would not include the URL (which would have granted anyone instant access). This is what the screenshots and accompanying text looked like:
I picked a Lens that featured on the homepage and managed to log in as the user who created it. I could edit his lenses, but I don't know him and don't want to touch his work, so left it at that. The first part of the exploit worked I could become anyone I wanted.
But I wanted to check whether I could really publish a change on someone else's Lens. So I became Ken Saunders, a good friend, who I knew would not object.
Hit the edit link on one of his lenses. Got to love the "drumroll please..." pop-up, very fitting at a time like this...
I edited one of his modules (on SpreadingFirefox), by adding three exclamation marks to the last sentence in a text box.
Now that the issue has been resolved I can safely show the screenshot with all the information. You can see how the confirmation URL led to being logged in.
On 2007-02-04 at 23:37 Estonian Time, Gil from Squidoo reported on the Squidu forum that he had fixed the problem. Finally...
For bug reports, requests or other reasons,
contact me by E-mail:
otto2003(at)de-voogd(dot)com
