Exclusive – Voidsec disclosed a number of flaws affecting Minds.com Platform

Pierluigi Paganini June 18, 2015

Security expert at Voidsec have analyzed the popular social networking minds.com disclosing a number of security vulnerabilities.

Security expert at Voidsec, Paolo Stagno ( aka voidsec [email protected] ) and Luca Poletti ( aka kalup – [email protected] ), have analyzed the popular social networking platform minds.com that is getting attention by media because it aims to give transparency and protection to user data. By promising transparency and security the minds.com has attracted the support of online activists including the popular hacking collective Anonymous.
The experts highlighted that minds.com is a long running project started in 2012 and that the product is still in beta version. After a few tests they spotted their first XSS vulnerability, then they decided to exploit it. The XSS vulnerability affecting the minds.com social network is considerable critical due to the possibility to make payments, using both Credit Card and BitCoins, .

Be aware, the two experts already reported the flaw to the developers that actually manages the open source project minds.com.
Below a detailed description of the vulnerabilities  discovered by the researchers:

XSS in the search form
The search form is vulnerable to a reflected XSS, which can be triggered by using a specifically crafted URL. An attacker can exploit is to run phishing attacks and steal victim’s credentials.

https://www.minds.com/search?q=<center><b><u><h2>XSS<br><br></center>&subtype=blog

minds xss 1

XSS within profile details

The following fields within user description are vulnerable to stored XSS attacks:

  • Place
  • Website
  • E-mail

This is quite critical since an attacker may steal credentials to every visitor to his profile:

<script>alert(‘XSS’);</script>

minds xss 2

XSS within the Archive title
The title field within users archives are vulnerable to stored XSS injection; any user visiting an infected archive will execute the javascript the attacker has stored within the title.

<script>alert(‘XSS’);</script>

Delete of any message from any user
An attacker could easily delete any public post of any user from any location (profile, blog, groups):

https://www.minds.com/newsfeed/<insertPostID>/delete

Upload of arbitrary files

Any user can upload any file to the social network platform allowing malicious activities such as malware distribution.

minds flaw 3

Edit profile data of any user

Using this vulnerability an attacker could edit profile data of any user. It wouldn’t be such a destructive vulnerability if it wasn’t that it can be combined with vulnerability #2. In that way an attacker is sure that his victims will be exploited, because is no more necessary that victims visit attacker profile for being exploited, but they only need to visit their own profiles (default action after successful login) for being exploited. One attack vector, for example, could be the BeEF Hook (http://beefproject.com/)

https://www.minds.com//custom

Unauthorized control of contents
Any visitor of the platform may completely defaces the main structure, eventually conducting phishing or malware distribution campaigns. An attacker even without being registered on the site may edit a pre-existent article (main page, FAQ, Tos, …) and insert arbitrary content. The attacker may also delete any article within the main structure of the site. The Flaw seems to be fixed at time of writing.

/p/edit/<page_name>

minds flaw 1
Summary
We would like to remember and point out that the project is huge and is at beta stage, so things like those we have listed are very common and normal, anyway the experts hope developers will fix them in a very short time.
Indeed those flaws are very critical since they allow an attacker to completely wipe the platform, potentially infect every user or steal their credentials and sensitive data.
Voidsec would lie to point out that they have only scratched the surface, they have done this little analysis by hand and they haven’t checked for the presence of other flaws, including SQLi, CSRF, tokens and sessions.

Probably the number of vulnerabilities is greater.

Pierluigi Paganini

(Security Affairs – XSS , minds.com)



you might also like

leave a comment