The Indian shopping portal Indiatimes.com Shopping is vulnerable against XSS attacks & can allow phishers etc. to get you to input your username, password & credit card data as well.
This security hole reported by Deep Ganatra on 29th January 2005, is still unpatched by Indiatimes after more than 4 months!! Indiatimes & its developers are a bunch of morons & dunder-heads, that I’m now sure of!! They don’t take customer security seriously, take your credit card info etc. for granted & I’d advise you not to shop there!!
For example, this URL is the original URL of Indiatimes Shopping page for USB MP3 players. Now click this, & you’ll be redirected from Indiatimes Shopping site to Google. All I did was just remove the title of the page which is passed in the querystring & replace it with the following JavaScript
- document.location.href("http://www.google.com");
enclosing it with the <script> & </script> tags. This is just a simple example, it can be leveraged by phishers to re-direct you to Indiatimes look-alike pages on their servers & make you reveal your credit card info etc.
The thing is that the Indiatimes shopping application is sending the page title in the querystring to another page, why is it doing that, I wonder, because if I’m not wrong, they are getting the page title from the database, so why not get it from the database on the relevant page instead of passing it in the query string?? That’s poor coding architecture & the worse thing is that their developers/programmers are ignorant or rather illiterate about the security threats, XSS etc. π How the hell these hot-shots got the jobs at Indiatimes, I wonder even more!!
So for the record, stay away from Indiatimes Shopping if you don’t want to be the next target of phishers!! You never know who will sneak up on you & when!! πΏ
Thanks for linking me π
There is one major bug in one goverment site also but they too never cared to patch it…
it allows you to read boot.ini and other various system files..
Deep
Uhh, lets keep it under-wraps then, we don’t want the law on us, eh!! π
Hi, I just want to know how this vulnerablity can be exploited. How a user will get infected URL? I know about domain spoofing.
Pradeep, I’ve sent an email to you with explanation!
Did you try reporting them?
Indiatimes mail was vulnerable to SQL injection a year ago. I worked with them and they fixed it although they didnt give any credits to me. And they were quite naive in handling security related issues. I had a bad time arguing and convincing them I am not culprit.
There was a XSS bug in indiatimes email system that was quite fatal.. See http://www.google.com/search?hl=en&q=sandeep+giri+indiatimes&btnG=Google+Search
I reported it to them but they didnt pay heed to it. Then I was forced to post on securityfocus.
So, instead of posting on your blog, you ought to post on securityfocus or any other popular bugtraqs first. If these bugtraqs dont accept the post ( Nowadays they dont publish the bugs in a website.) then you can publish it anywhere.
Anyway, thanks Amit for the post.
-A0
Alpha0, I didn’t report it to Indiatimes, don’t have time to waste with them, but Deep who discovered it, reported it & they didn’t pay any attention to it. So I just posted it here & if you should know, this blog is a bit popular & has a bit decent search rankings & this post comes up at #3 in Google if you search for Indiatimes Shopping. That’s the reason they got in touch with me!! I explained the bug & how it can be exploited to them. Their guy said that its not their fault as this shopping portal is done by a 3rd party!! π And even after I explained a lot about the bug to him, he said to complile all details & then mail him. I said to hell with it, its not my problem & I don’t have time to give out free consultancy services!! Let the people discover the problem & then they’ll shun away from Indiatimes shopping.
what were they supposed to do? Put a link to you at the bottom of the Indiatimes Email pages stating that you’ve helped them iron out a bug? π Well, frankly, I’m not surprised, companies like these, first they are morons & then they can’t afford to say to people that their applications had security bugs which were discovered by other people & not their testers!! What amazes me is that how so moronic people find job at Indiatimes or get a contract(if the applications of Indiatimes are done by 3rd parties). I guess you get what you pay for, so the cheapstakes like Indiatimes pay a lot less & thus they suck!!!!
Man,
These guys are jerks and claim to be certified by some APIC
They seriously deserve one tight slap..
while ordering at indiatimes shopping..on last and final page when i clicked Submit..it just returned me an error..and to top it my credit card was charged..
don’t they have transaction setup that if order no. is not generated credit card transaction should roll back !!
well anyway..foolishly enought i tried 4 times..and indiatimes now owes me Rs. 714 x 4 = 2856..tried contacting their custiomer service by link on their homepage which sends out an email…never got a response..
does anybody have their phone nos..so i can blast these unprofessional..dumb..idiot..morons
I don’t know why are you fussing about the charge!! If you paid by Credit Card, then simply go to your bank & do a chargeback on them which will return your money back to you. As simple as that!!
Anyway, I dont really trust these indiatimes like sites.
A few days back the prasadz.com was vulnerable and I reported them and they didnt respond.
A few after I demoed it in a public workshop, the prasadz.com down for a few hours (or a day) with a message “site has been hacked.”.
So, before doing any e-transaction I make sure the website is worth it.
“Fighting tells you how genuine a person is.” –Alpha0
Anyways, I love reading your blog.
<– Author Snip: No link promotion allowed –>