XSS at IMVU – Still unprotected

In the end of march 2007, the IMVU-team announced a flaw in their system that made it possible hijack other users accounts by simple XSS injections. Of course, the people behind those attacks were stupidly exposed since the hijackers were sending large amounts of credits to themself. The XSS was stopped by simply disabling all javascript/html-coding temporary until this issue was solved.

The issue was solved. Almost. One problem seem to be that the IMVU-team missed the natural way of evading such fixes. With a small change in a script that makes it possible to hijack accounts, the issue is still reachable by whoever that finds out the way to do this. Allowing users to enter their own html-code at any website will always open doors to new hacking threats. The best solution against such things is to really consider disabling this completely (or disable javascripting in the webbrowser). But then, IMVU will probably not be as ”fun” as the users there thinks it is now…

There are also two threads at the IMVU-forum that might be interesting, to refer to, regarding this subject.

The first thread is probably the first signs of where people started to discover that something was wrong.
The second thread is where IMVU disabled scripting, and where they was supposed to fix this issue.