Ustream.tv Search Order XSS

Hey look everyone, yet another demonstration of how cross-site scripting (XSS) can be used for evil. This time we find ourselves at ustream.tv and yet again this is another simple to find vulnerability. The input for the order parameter on the site search was not properly encoded in the title of the output page.

The video demonstrates an attacker sending a link to a broadcaster. Note that links must be enabled otherwise they are stripped. If the victim clicks on the link all of their shows are deleted, leaving the namespace open for somebody else to claim. Something interesting to note is that the chat logs persist through the transaction.

Some of you may be wondering why the XSS is even needed to carry out this attack. The reality is that it is not. Plain cross-site request forgery works just fine. To target a user, one would only have to do the following.

1. Look up the users list of channels http://www.ustream.tv/json/user/evilpacket/listAllChannels
2. Craft delete url's http://www.ustream.tv/mybroadcasts/delete/[CHANNELID]
3. Send the user a link, or get them to visit your malicious page that will make their browser proxy requests for you cross-site request forgery style.

Music: Dan Deacon - The Crystal Cat

Disclosure Timeline:

• 2009-08-30 - Initial Vendor Notification via email
• 2009-09-17 - Second vendor notifications via site contact form
• 2009-09-18 - Security contact requested via twitter
• 2009-09-23 - Intent to disclose posted via twitter
• 2009-09-24 - First vendor response with intent to fix
• 2009-09-29 - Vulnerability fixed (no communication from vendor
• 2009-09-29 - Alternative (csrf based) vulnerability reported to Ustream
• 2009-10-01 - Vendor response with intent to fix / passing along to development