Ask HN: Is this a XSS? What else can I do?

14 points by joakin ↗ HN
Hi,

About 3 weeks ago I was posting something to posterous and noticed that there was something weird at the top of the page.

Inspecting, playing around and such I figured out and inserted JS into the post, doing an alert() when the page loaded. http://i.imgur.com/pL8W2.png

From what I know, and what I have read this is an XSS, Im not completely sure of which length of script could I execute but I think it could be enough to load a script from another page, and then do the malicious stuff.

I contacted Posterous through their Feedback form about 3 or 4 weeks ago, and I havent received an answer. Since the post still shows the alert and its not fixed they may have not read the mail or discarded it...

Can anybody confirm that this is dangerous?

3 comments

[ 5.2 ms ] story [ 23.9 ms ] thread
It can be dangerous yes, somebody could exploit this. Not sure who you should contact at Posterous tho ...
I just took a look and there appear to be some risks associated with this vulnerability.

If you log in to Posterous and check the "Remember me" box, it sets a cookie scoped to .posterous.com (which means it's within the scope of this XSS). That cookie does not have the HttpOnly flag set, which means it can be accessed via Javascript. I'm not sure whether the auth_token cookie has any protections against session hijacking (ie: if it's restricted to the IP that was used to log in). If it doesn't, you can steal the cookie and log in as a user.

Outside of that, the site appears to use a cookie called _sharebymail_session_id, which is scoped the same as auth_token but which is marked HttpOnly, which means it can't be accessed directly via Javascript.

In order to really exploit this vulnerability, you would need to find a way to send requests to and read responses from posterous.com, the root domain, since that's where all the functionality is defined.

Contact rich@posterous-inc.com