Ajax flaw in a Chinese Facebook App causes unexpected injection vulnerabilities

Chinese social networking site Renren.com has long been known as being a cheap clone of the famous Facebook site. Still, this site has accumulated a millions of users across China despite most of them realizing the obvious plagiarism. Of course, due to the fact that Facebook.com is inaccessable in mainland China.

With Renren's rapid succession in China, it has also become a target (like many other public sites) for XSS injections. Months ago, an XSS attack that targetted the onsite messaging system occurred. Users received onsite messages containing malicious JS code that when opened caused the user to distribute the letter to friends.

After the attack, Renren persumably tightened security procedures, disallowing commas and dollar signs in posts,statuses and onsite mail.

Recently, however, a small hobbist group has found a leak on one of the onsite apps. A successful exploit of the leak using AJAX could allow malicious users to inject any HTML code into the App's homepage targeting a certain User ID. Users who haven't 'allowed' the app, will receive an 'invite' to use the app. Once accepted, they will be automatically redirected to the page containing offending code.

 "It is bad practise for AJAX programmers to not do any server-side data filtering", the group's notice said. "And using very obvious variable names like _toUserId and _toUserName also made discovery of the vulnerability easier."

As all apps on Renren share a subdomain with the main site, scripts injected inside the App could have easy access to users' private cookies and data.

Upon discovery, the exploit has been reported to the App's manager. 'But it seems he is dealing with other matters at the time, such as user complaints about data privacy', an anonymous user wrote. 48 hours have passed and still no effort to fix the issue from either Renren (by pulling down the offending app) or the App's manager has been made.

It is estimated that at least 1,264,000 users are affected by this exploit (number still growing every hour).

Just goes to show you what China quality software is and their initiative to fix their problems.