A few days after the site launched my friendÂ Bryan Kendall found a persistent XSS vulnerability in MCommunity within a couple minutes of looking at the site. He reported the problem to the Michigan security team.
…Or how I almost wormed MCommunity
Days passed and I got curious about how MCommunity itself worked as it obviously used a lot of AJAX to load information on pages. So I took a look at what those calls looked like using Chrome’s developer tools. It looks as though MCommunity is sitting on top of a pretty nice JSON API! They included endpoints for gathering info on an account, the current user’s auth info, and various other endpoints including the one for updating a profile.
After testing this to see if it worked with a couple of friends (letting them know what would happen before hand), I stopped loading that script into my profile so as not to actually modify anyone else’s data. I replaced it with a simple alert that said that MCommunity was vulnerable and that concerned users should notify the University.
Had I been malicious, I could have modified others’ profiles so that when they were viewed, they too would attack other people’s profiles. This worm could have spread out of control and caused much grief. There are also any number of other things that an attacker could do with an open XSS bug. This is why testing for these things in development is so important.
I promptly reported the vulnerability as well because I didn’t want others doing this to me! I quickly got a response from the security team saying they had passed it on to the MCommunity team. About a week later, on August 2nd, Â I noticed that the vulnerability had been fixed and no longer worked. They must have patched it in one of these releasesÂ – despite not mentioning it in those notes.
Overall the response from the University was very good. I do hope that they are on the lookout for further vulnerabilities in the application. It houses so much information on the entire Michigan community that it would be disappointing to see that be abused by a malicious attacker.