Minds.com – Full Disclosure
Advisory: | VoidSec-15-002 |
Disclosure date: | June18, 2015 |
Vendor: | Minds.com |
Advisory sent: | June 17, 2015 |
Paolo Stagno ( aka voidsec – [email protected] )
Luca Poletti ( aka kalup – [email protected] )
Table of Contents
Download the Report [EN]
Introduction
In those last days a new social network called minds is getting attention over the internet, it aims to give transparency and protection to user data. Thanks to those last two points the new site has attracted the support of online activists including the hacking collective Anonymous.
We have then decided to give a look to that amazing platform, and we have seen that in reality is a long running project started in 2012 and that the product is still in beta. The first we tried has been a simple search and…well we find our first XSS so we decided to have some fun! The project is open source and we have already sent a notification to developers.
A little note before starting, within that social network there are payments options, CC and BTC, so any XSS is critical.
Here is a list of the vulnerability that we have found; they are almost all higly critical so we hope in a fast fix from developers.
Key Findings
- Multiple XSS
- Delete of any message from any user
- Upload of arbitrary files
- Edit profile data of any user
- Unauthorized control of contents
We would like to remember and point out that the project is huge and is at beta stage, so things like those we have listed are not unbelievable, but we hope they will get fixed in a very short time.
Indeed those flaws are very critical since they allow an attacker to completely wipe the platform, potentially infect every user or steal their credentials and sensitive data.
We would lie to point out that we have only scratched the surface, we have done this little analysis by hand and we haven’t checked SQLi, CSRF, tokens and sessions, probably there are many other vulnerability there around.
Full Disclosure Policy
For projects that have a public bug report page we cannot guarantee any disclosure time (or responsible disclosure), as anyone who has access to the bug report has the access to the vulnerability. In this case we evaluate a possible immediate publication (full disclosure) to promote a more rapid fix.
The permalink URL for the complete policy is: http://voidsec.com/disclosure-policy/
by VoidSec Security Team