Exclusive – Voidsec disclosed a number of flaws affecting Minds.com Platform

Security expert at Voidsec have analyzed the popular social networking minds.com disclosing a number of security vulnerabilities.

Security expert at Voidsec, Paolo Stagno ( aka voidsec – voidsec@voidsec.com ) and Luca Poletti ( aka kalup – kalup@voidsec.com ), have analyzed the popular social networking platform minds.com that is getting attention by media because it aims to give transparency and protection to user data. By promising transparency and security the minds.com has attracted the support of online activists including the popular hacking collective Anonymous.
The experts highlighted that minds.com is a long running project started in 2012 and that the product is still in beta version. After a few tests they spotted their first XSS vulnerability, then they decided to exploit it. The XSS vulnerability affecting the minds.com social network is considerable critical due to the possibility to make payments, using both Credit Card and BitCoins, .

Be aware, the two experts already reported the flaw to the developers that actually manages the open source project minds.com.
Below a detailed description of the vulnerabilities  discovered by the researchers:

XSS in the search form
The search form is vulnerable to a reflected XSS, which can be triggered by using a specifically crafted URL. An attacker can exploit is to run phishing attacks and steal victim’s credentials.

https://www.minds.com/search?q=<center><b><u><h2>XSS<br><br></center>&subtype=blog

XSS within profile details

The following fields within user description are vulnerable to stored XSS attacks:

  • Place
  • Website
  • E-mail

This is quite critical since an attacker may steal credentials to every visitor to his profile:

<script>alert(‘XSS’);</script>

XSS within the Archive title
The title field within users archives are vulnerable to stored XSS injection; any user visiting an infected archive will execute the javascript the attacker has stored within the title.

<script>alert(‘XSS’);</script>

Delete of any message from any user
An attacker could easily delete any public post of any user from any location (profile, blog, groups):

https://www.minds.com/newsfeed/<insertPostID>/delete

Upload of arbitrary files

Any user can upload any file to the social network platform allowing malicious activities such as malware distribution.

Edit profile data of any user

Using this vulnerability an attacker could edit profile data of any user. It wouldn’t be such a destructive vulnerability if it wasn’t that it can be combined with vulnerability #2. In that way an attacker is sure that his victims will be exploited, because is no more necessary that victims visit attacker profile for being exploited, but they only need to visit their own profiles (default action after successful login) for being exploited. One attack vector, for example, could be the BeEF Hook (http://beefproject.com/)

https://www.minds.com//custom

Unauthorized control of contents
Any visitor of the platform may completely defaces the main structure, eventually conducting phishing or malware distribution campaigns. An attacker even without being registered on the site may edit a pre-existent article (main page, FAQ, Tos, …) and insert arbitrary content. The attacker may also delete any article within the main structure of the site. The Flaw seems to be fixed at time of writing.

/p/edit/<page_name>


Summary
We would like to remember and point out that the project is huge and is at beta stage, so things like those we have listed are very common and normal, anyway the experts hope developers will fix them in a very short time.
Indeed those flaws are very critical since they allow an attacker to completely wipe the platform, potentially infect every user or steal their credentials and sensitive data.
Voidsec would lie to point out that they have only scratched the surface, they have done this little analysis by hand and they haven’t checked for the presence of other flaws, including SQLi, CSRF, tokens and sessions.

Probably the number of vulnerabilities is greater.

Pierluigi Paganini

(Security Affairs – XSS , minds.com)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

6 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

13 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.