Justin.tv non-malicious cross-site scripting worm
Written by DP
Tuesday, 8 July 2008
x2Fusion from TheDefaced.org security team, recently contacted us in regards to a serious XSS vulnerability on the popular lifecasting website Justin.tv:
"As of 'Sat, 28 Jun 2008 21:52:33 GMT' - An XSS worm was released on this website,
this was and is meant only for research purposes. It was successfully executed and
lasted roughly around 24 hours.
We have recorded such records making it possible for us to create graphical images
graphing the progress of this XSS worm as it infected each profile upon the last
The XSS Vulnerability was discovered and fixed during 'Sun, 29 Jun 2008 21:12:21
GMT', with an after mass of 2525 profiles."
Due to insufficient input sanitization of the Location field on users' profiles, TheDefaced.org team could add the following code:
<iframe id='tframeid' width=0 height=0 frameborder=0></iframe><script
The worm's source code will soon be posted on XSSing.com.
"This actually is the very first XSS worm which we have unleashed, and it was
solely upon research reasons; non-malicious at all :)
We've contacted the JTV Programmers prior to the fixing of the XSS worm and
have sorted things out with them and made sure that they knew NO information such as IP Address, Cookies, Sessions and further
information which poses private is not to be released. After that I put myself
forward and found another XSS in turn to prove that I was dedicated to
helping JTV out in any further possible vulnerabilities", says x2Fusion.
Related News and Information:
* Progress Graphs: http://thedefaced.org/jtv/jtvworm-graph.png
* JTV Blog(about the xss) #1:http://blog.justin.tv/2008/06/xss-hole-closed-sorry-for-trouble.html
* JTV Blog(about meeting) #2: http://blog.justin.tv/2008/07/dear-justin.html
* Following Meeting: http://www.justin.tv/help/146816/XSS_worm