May 16, 2010
Posted by: Joy : Category: Vulnerability
Recently, many friendster users leave and move to facebook. That’s probably because facebook provides more easyness and interactivity than friendster, many cool games, chat, usefull applications, etc. Friendster seems to follow facebook too now, they tried to add anything facebook has on their page. They even tried to provide us chat facility like the one on facebook, but it has not been implemented yet untill now. There are some more things that friendster try to follow, you can see how their activity stream, also link sharer, etc.
OK, let’s go straight to the topic, i accidentally found another XSS vulnerability “again” on their file, named sharer.php. It doesnt sanitize parameter correctly.
Recently in the year of 2010, the previous trick of view friendster private photos is not available anymore as friendster has added authoritation code as a parameter on their request page. Now we need a little more complicated way to get access to friendster private photos.
The word private here means that facebook photos/album belong to those profile that are not listed on our friendslist but the privacy setting is set to everyone and the photos tab is hidden. Using this trick below we can reveal the album links. OK, lets try it using my profile as an example :
Multiply is a social networking service with an emphasis on allowing users to share media - such as photos, videos and blog entries - with their “real-world” network. The website was launched in March 2004 and is privately held with backing by VantagePoint Venture Partners, Point Judith Capital, Transcosmos, and private investors. Multiply has over 11 million registered users. The company is headquarterd in Boca Raton, Florida.
Media-Box