|
|
|
|
| |
Third Voice provides an application that allows users to leave comments and create discussions on public web sites. The application is a browser companion, and requires that the web site support this feature as well.
While the application gained huge popularity, several vulnerabilities were found in the product. These vulnerabilities cause the program to compromise the security of the client's machine. |
| |
Credit:
The full explanation of NetFisher's exploit is available at: http://www.kattare.com/~vellad/tv.htm
|
| |
Using Third Voice, any user can add text to any existing page. The utility is supposed to filter out any active code (such as JavaScripts), but fails to do so in some cases.
Jeremy Bowers, a programmer from Michigan, showed a way to bypass the filtering of JavaScript, and showed how any user can alter the appearance of a web page created by Third Voice. Altering the appearance is dangerous, since the user thinks the page is coming from the web site he's visiting, and can be tricked into entering personal information that can be then sent to the attacker.
Third Voice fixed this vulnerability in a new version of their application released earlier this week, but then a hackers group called NetFishers released a custom made Thrid Voice client that logs into the Third Voice server and creates a special 'sticky note' containing JavaScript. This script (and the images it contains) is not filtered out by Third Voice, and whenever someone user views this note, the HTML page containing that note will be changed, and every 'submit' button on this page will be modified to redirect the submitted information to NetFishers. The information is sent to NetFishers by e-mail, and is then posted to the server, making the hack invisible to the user.
This will capture, for example, usernames and passwords of Hotmail, Geocities, Yahoo and other web-based utilities that require identification. All Third Voice clients are vulnerable, and the vulnerability only requires the user to view the special 'sticky note' posted by the attackers.
The exploit code is very simple, it only requires logging into the Third Voice server to port 80, and posting the following:
MfcISAPICommand=share&&urlid=&&grp=1&&parent=&&title=thisissubject&ref=1%3ABODY%7C1%3AP%7C38%3AFONT%3CAWE%3E2%3CAWE%3E0%3CAWE%3E22%3CAWE%3EWorld%20%20%20Wide%20Web%26quot%3B%3CAWE%3E&&urltitle=Home%20Page&&url=http%3A%2F%2Fwww.local.com%2F&&content=thisisbody
|
|
|
|
|
|
|
|
|
|
