Formspring.me XSS Vulnerability

| Jun 03, 2010 | 2 comments

Formspring.me, a newly popular social networking site, has a fundamental cross site scripting flaw that allows one logged in user to steal another user’s session, but also may allow users to find out who posted a nasty comment about them. A key complaint about the site is that you can not find out the identity of an anonymous user.

Update: Kudos to Formspring.me, even though it was hard to initially report the problem, they corrected it in about an hour from opening a post on their technical support forum, a nice turnaround by any standard.

Formspring.me

Formspring.me is a six month old social networking question and answer site. The web site has come under scrutiny following a few recent news stories involving incidents with teenagers, the site’s primary demographic. The first notable incident was where a fight broke out over comments on the site. More notably, however, is the story of Alexis Pilkington, a 17 year old West Islip, NY High School graduate who committed suicide after dozens of insulting comments had been made to her on the site.

From comments on the site, these are not isolated incidents, and its fairly clear Formspring needs to come up with a better model:

Is it possible for you to delete an account for harrassment if the posts were anonymously posted? I received 18 threats last night that I followed up with a police report to my local PD. I have the police report number, as of yet I have not deleted my account so that if you needed to access it to see the post you could. Please advise.

I need to know how to go about finding out who send a message to my daughter’s account. The message says.. that she would be better off dead.

I would appreciate it if Formspring will work with our local Santa Barbara Police Department and the Santa Barbara Sheriff Department to find the person that was impersonating my daughter.

Such problems have led to various organized boycotts, letters home from school officials, and coverage under the topic of cyber-bullying in a number of news outlets.

The Big Issue People Have

One of the primary complaints about the web site is the anonymity of questioners. Hiding behind the veil of anonymity has allowed, mostly teenagers, to make nasty remarks to each other they would probably not make under their own names (although frankly the Internet is a wild place). Largely as a result of this, a good deal of time has been spent trying to figure out a way to determine: “who said that about me?”. That is at least according to the articles I’ve been reading. Formspring won’t help you with anonymous questions, as it states in their support forums

But here’s an answer to that question, or at least a method: a way to grab another user’s session only knowing user name because of a web site vulnerability present in the Formspring web site.

  1. We have two users: Tester21 and Tester25. Since they have such close names, they’ve decided to follow each other using the site’s People->Find People and Follow functions.

  2. Tester 25 goes to www.formspring.me and asks Tester21 a question:

    Ask another user a question.


  3. But that’s kind of boring, so Tester25 asks a better question: 
<script>alert(document.cookie);</script>

4. Tester21 logs in and sees he has a question:

Malicious script, dutifully encoded by Formspring.me.


Immediately he see’s that this isn’t a question. Formspring has done a good job for him, because rather than allow this malicious script to execute, they have encoded parts of the output as shown:

<a href="#" rel="question">
&lt;script&gt;alert(document.cookie);&lt;/script&gt;</a>
<span class="askedBy">asked by <a href="http://www.formspring.me/tester25" rel="profile">tester25</a>

5. Glad Formspring has protected him from revealing his session cookie by properly encoding output, Tester21 makes a note to drop that loser Tester25 from his Follow list and clicks Home:

The home screen preview executes the Javascript.

What Happened?

A preview function on the home page shows the user the last pending question they’ve received. If its the one that is the cross site scripting string, the script executes. In this case its only the classic alert box demonstration, but anything that can be accomplished with Javascript is possible.

Another Random Issue

It appears formspring.me actually logs users in as someone else sometimes without any interaction, as evidenced by this user complaint:

Hi, everytime i want to go to my home page or feeds on my friends answered questions, i keep going to random people’s homepage or their feeds, anyway i can fix this?

Why is Disclosure this Difficult?

After numerous attempts to sign up for the Support section of the site so we could notify Formspring of this defect, we finally just posted an issue in their Technical Support forum as the notification. They need to think about adding a screen or e-mail address for reporting security issues, ala Twitter and other sites.

Finally

So assuming someone is acting as an anonymous user, but has given more information in their profile (e-mail, etc.) then the person who wants to know who they are could send them a variation of the “poison question” above that steals that user’s session (likely this would involve sending the user’s cookies to another web site, having a script running there that grabs the cookies and perhaps logs in in as that user and changes the user’s password which essentially takes over the account). From taking over the account the attacker gains access to any information filled out in the profile (could be nothing if Anonymous uses dummy information and an anonymous e-mail) and can post and answer questions as that user.

Additionally by searching out people making use of the Formspring widget, you don’t even really need to be a Formspring user yourself to post the XSS string to a Formspring user’s account.

The problem above is magnified in that many users connect their Formspring accounts to Facebook and Twitter (meaning a person who has taken over the account can then post messages to these other two social networking services).

In terms of actual impact, its unclear that user’s would have any truly sensitive information available in their profiles, making information disclosure a low risk (assumes the user didn’t post sensitive information themselves). Birthday and e-mail are probably the only two fields that could be considered user confidential. So the primary issue is session hijacking. Is it a big deal? It probably is not, other social networking sites had similar issues in their first six months of existence, it is just something that should be corrected.

As for Formspring itself, and the issues people are having with anonymous users, this is probably worthy of its own blog post. There are a number of sites that allow anonymous comments to be posted, and the web is famous for snarks and nastiness in online comments. That said, having experienced these problems so publicly, and being a web site that is used primarily by young people, Formspring would be best advised to remove the anonymous question capability to avoid libel, cut down on police investigations, and get itself out of the negative press for a while. Call it the price of being popular.

A special thanks to ethicalhack3r for bouncing some ideas around.

Related Posts:


Filed Under: Cross Site Scripting

Tags: , ,

Comments (2)

Trackback URL | Comments RSS Feed

  1. Social Media Security » Social Media Security Podcast 15 – Current Facebook Security Issues, New Privacy Tools, Likejacking, Formspring, Social Media at Work says:
    June 19, 2010 at 1:22 PM

    [...] Formspring.me XSS flaw [...]

    Reply
  2. Alex says:
    May 31, 2011 at 11:26 PM

    actually, you can find out who asked if you answer the question, delete it, and answer it again a few times, the person’s identity will show.

    Reply

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.