Mydex XSS Flaw (Disclosed & Fixed)

by @edent | # # # | Read ~183 times.

Ever heard of Mydex? Here’s how they describe themselves:

Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data.

Not just secure, but hyper-secure! They’ve been signed up by the UK Government to provide Identity Assurance. Pretty impressive, eh?

Let’s ignore the fact that their website doesn’t use SSL and concentrate on the XSS flaw on the site.

Cross-Site-Scripting (XSS) is, in simple terms, a way to force a web page to run some malicious code against the wishes of its owner. Let’s take a look at a simple example:

By searching for

<em>test

We can force the page to display in italics.

mydex XSS em

This is because the search box’s input isn’t sanitised. You can put whatever you want in there and the web page will display it. For example, if you paste in the HTML code to display a photo, then this happens:

mydex img xss
Ok – so that’s a bit annoying, but nothing too bad. So, what happens if we try to inject JavaScript into the page?
mydex xss script
Aha! Now we can run arbitrary code on this website. In fact, we can completely take it over. Using JavaScript we can tell the page to redirect to some other website, we can switch on the user’s microphone and camera – all sorts of naughty tricks.

To Mydex’s credit, a few minutes after reporting the flaw it was fixed.

There’s absolutely no suggestion that any user’s personal data was at risk here. I would consider it extremely unlikely that anything entered into that search field could have caused an SQL injection attack.

Mydex also operates a strict separation of their “publicity” site and their Personal Data Service – which really does seem very secure.

It would, however, have been very easy for a scammer to set up a JavaScript redirection to a phishing site in order to trick a user into entering her personal details. Similarly, an attacker could have sent Mydex staff a link saying “Please reset your admin password – click here” and been granted the keys to the kingdom.

The Open Web Application Security Project list their top ten most critical web security risks facing organizations. XSS is number 3.

If you’re running a website – especially one which deals in security – please take the time to read over the list and understand how to protect your business and your users.

Timeline

  • January 23rd – Reported and fixed.
  • February 5th – Publication agreed.

Leave a Reply

Your email address will not be published. Required fields are marked *