Wednesday, February 7, 2007

Netvibes Security Problems

There was some buzz recently in the French blogosphere: personalized homepage service Netvibes exposed a vulnerability that allowed one module developer to gain some access to Google accounts (through the carelessness of some Google users, if I understand it right) as well as private Netvibes developer information. “[T]his vulnerability is now fixed,” the official Netvibes blog announced this week, adding that “the module developer unethically exposed the vulnerability on his blog before contacting us.” TomHTML of French Google blog Zorgloob wraps up what happened.

So, the French guy said he first created a module for Netvibes, which was agreed to be published online. Then, you can modify your module without any more verification from Netvibes. Which is completely stupid....

“I inspected the website and found a flaw. I modified my module to get information of the users using my module. Needs only 10 lines of code. So at this step, I was able to get the mail address of the user, a list of his feeds (with the ability to remove feeds), calendars, webnotes, Gmail labels via the feed mail.google.com/mail/feed/atom ... I also got the parameters of the modules installed, particularly dangerous if you use the module to watch your Adsense gains in real time...”

Then he created a blog of his, and wondered: “Among the users of my modules, is there a Netvibes developer?” He searched for “@netvibes.com” and JACKPOT! A developer of Netvibes.

So he checked what there is in this developer’s webnotes, where everybody can write something in order to not forget something... “There were logins and passwords for the development site of Netvibes and the wiki!!! There were also logins/ passwords to backup databases, and databases which contain the list of all user data!” It’s unbelievable, and nobody would’ve trusted him if not for the screenshoots he made.

“Surfing on their (private) wiki, I discovered what Netvibes is developing. No scoop here: a mobile version, integration of the Google widgets, partnerships with well known brands (Google, AOL, Skype, ...), the creation of a ’netvibes community’ with profiles and friends networks.”

“Moreover, I have access to all PHP files, and was able to find more flaws!!! ... Finally, I had access to the backup user database with logins/ passwords. Passwords are encrypted in MD5... but thanks to websites like md5.c.la I was able to decrypt a fifth of the passwords. The worst thing is that a large part of the users use the same password for Netvibes as they do for Google accounts... just like me!”

“So I published this article and then I alerted netvibes security team”

“Advise for Netvibes team:
• change all the passwords for the Netvibes development website
• educate developers about security
• delete all their webnotes with confidential data
• block all the modules which save logins/ passwords of third party websites
• ask all users to change their passwords
• contact me to let me tell you where the flaw is

Advice for users:
• change your passwords often
• don’t enter confidential data in webnotes
• be careful about theses new “2.0” websites, even if they’re as popular as netvibes...”

Now the blog where this article was published has been deleted, I think he deleted his blog himself (fearing what he had revealed), or maybe someone else deleted it...

Netvibes Security Problem ... by TomHTML | Comments (7)

>> More posts

Advertisement