Early this morning, the security group Virtual Luminous published a
vulnerability in 'Ebuddy Web Messenger' and we would like to inform
you that this vulnerability had been discovered and reported to the
vendor on June 5th, 2011 by DcLabs Security Research Group.
In the report below you are going to find videos and references to the
date when the POC was sent to the vendor and the follow up regarding
the timeline for the release.
[Discussion]
[Software]
[Vendor Product Description]
eBuddy is a privately-held company which owns a browser-based web
and mobile messenger service supporting various instant messaging
services. eBuddy was launched in 2003 under the name e-Messenger,
located at www.e-messenger.net, before re-branding itself in 2006 to
eBuddy.
eBuddy supports Windows Live Messenger, Yahoo! Messenger, AIM, ICQ,
Google Talk, MySpace Instant Messenger and Facebook Chat using one
interface. eBuddy can also be accessed from mobile platforms such as
iOS, Nokia Symbian and Android.
Site: http://www.ebuddy.com
[Advisory Timeline]
[Bug Summary]
[Impact]
[Affected Version]
[Bug Description and Proof of Concept]
Exploiting the HTML-injection issue allows an attacker to execute
HTML and Java Script code in the remote user context to steal
cookie-based authentication credentials or to control how the site is
rendered to the user; other attacks may also be possible.
Moreover, Cross Site Scripting (XSS) vulnerabilities are caused due
to lack of input validation. This allows malicious people to inject
arbitrary HTML and script code. More info at:
http://en.wikipedia.org/wiki/Cross-site_scripting
All flaws described here were discovered and researched by:
Rener Alberto aka Gr1nch.
DcLabs Security Research Group
gr1nch (at) dclabs <dot> com <dot> br
[Patch(s) / Workaround]
N/A
[Greetz]
DcLabs Security Research Group.