I really like playing this game www.trendio.com
It was good fun till the site got redesigned and I lost all the virtual money I made on the site. They also ajaxified the site and added lots of other things making it real heavy.
Yesterday myself and a friend Harish JP were talking about ow much we missed playing the site and decided to check out if the vulnerabilities were actually an issue with the site.
Pretty soon we hit this loophole..
You can try it out yourself:
1) Log in to the site
2) Check out the link
http://www.trendio.com/word.php?language=en&wordid=1246 or id = 1279
3) It shows you a word which costs 0.01$. Then go ahead and buy as many shares as you want of that word, on the page.
4) Come back to your portfolio and check that the word magically turns into the "Earthquake" word, which has a value of 63$
So the bottom line is for every dollar you put in buying the word you get 6300 dollars.
I tried it out, made a billion (virtual) dollars and here is the rank list from today morning.
PS: I am informing Jensen the creator of this site about this issue so it might not be around too long. I hope he sends me the geek T-Shirt :)
If you are not a technical guy I would suggest not to read what is written below coz you might want to pull your hair out..
Now here is why this happens and how to fix it:
The site uses PHP and MYSQL as the backend.
He receives the data from the form as a GET request which is visible to the user in the address bar of his browser.
(NOTE: This is a mistake. You should always use POST method. Dont let the user know more than he needs to know)
The GET request looks like http://trendio.com/word.php?language=en&wordid=1 in the browser for the Earthquake word.
Now that I know the request he sends and what variables need to be set, I play around with it.
I change it to
http://trendio.com/word.php?language=en&wordid=1'
NOTE: There is a single quote at the end of the wordid
The MYSQL database expects the data in wordid to be a number but it recieves a string so it throws out the error.
"Error: Unable to perform query: SELECT method, word, lastquot, variation, categoryID FROM words_en where id=1' :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 "
This query gives me the structure of the database and I know what query is being generated.
(NOTE: The error generated by the mysql_ php functions should not be displayed to the user. Use a @ in front of the mysql_ functions to supress the error messages from being displayed and handle the error elegantly in the code)
Also the wordid should have been checked using the isint() function in PHP.
Eg:
if(isint(_GET['word_id']))
{
$result=@mysql_query("select blah from blah where blah limit blah");
// Do something
}
else
{
print an error message
}
This check would have solved most of the issues.
So just few small checks can make sure that the SQL injection attacks are avoided.
Also when you take inputs from users parse it to remove HTML tags..
If I put in a comment like
<script src="http://blah/blah.js" />
and it is not parsed would not be shown but executed on the other users browsers who open the page to read the comments. Use the strip_tags function in PHP to strip out the unwanted HTML code from being submitted.
Hope you find this blog post useful.
Jensen,
hopefully you would fix trendio (PS: Kindly restore my 46 million $ I had with the old trendio. While you are it, can we get back to the old interface also.) (PS: Can I get a Geek T shirt for pointing out the bugs with trendio ??? )
Final PS: I am willing to help you fix the bugs provided you give me access to the code.
