Here is what happened in February 2007, re-edited for brevity and readability.
I was new to Squidoo and had just created my account and my first lens. A lens is how Squidoo calls the pages that users make, in their FAQ they describe it like this: "It's an easy-to-build, single web page that can point to blogs, favorite links, RSS feeds, Flickr photos, Google maps, eBay auctions, CafePress designs, Amazon books or music, and more." My lens was an experiment to evaluate Squidoo for a project that I was working on, I certainly wasn't expecting to find a gaping security hole!
After creating my account I had received a mail from Squidoo, in order to verify my e-mail and activate my account. That all worked (and I wasn't paying attention very much to this process as it is so common). Later I had an evening in town with some friends and after returning home, I wanted to make a quick update to my new lens before going to bed. But when I tried to log in, I was denied access and got the message that my account was still not confirmed. Weird, I was sure I had already confirmed my account. But a link allowed me to resend the confirmation e-mail. So I did that.
What they sent me was this link:
I clicked on it and was logged in.
But then I started to think, how come that I am logged in?
I did type in my userid and password before having them send this mail so
maybe that in combination with following the confirmation link is what
did it? But I did not type it in again after following that link!
That got me thinking.
As you can see in the link, the last part (ottodv) is my userid. So I decided to do a simple check. From the Squidoo homepage I randomly chose a lens and noted the userid of that lensmaster. Then I replaced my userid with that of the other lensmaster in the confirmation link... Surprise! Without supplying any password I was logged in as the other lensmaster and I could edit his lenses (at least I could enter edit mode).
Then of course, came the dilemma. I am not going to vandalize someone else's work, but still want to check how far I can actually go. Thankfully I then thought of my friend Ken, he was the one who had suggested Squidoo to me and of course he had a lens. I know him well I and knew he wouldn't mind if I made a small edit to his lens. So I looked up his userid and using that in my URL I became Ken on Squidoo. I edited one of his lenses by adding three exclamation marks to his lens. Then I mailed him that I had "hacked" his lens, he replied that he was very impressed.
Ok proof enough. I had to do something now to get the problem fixed. This method was so easy and could be discovered by anyone else at any moment, presuming other new users would receive these "confirmation" e-mails as well. It was therefore vital that it got fixed quickly. I initially reported the problem via the "bugs & feedback" feature on the Squidoo website, but the next day it was not yet picked up. So I decided to make it public and hopefully attract some attention from Squidoo staff or someone who could get the attention of Squidoo staff. However I had to prove my claim in such a way as not to risk revealing how I did it (even trying to avoid anything that could be used as a clue).
So I made a webpage with some screenshots of me logged in as other users and posted it on Digg. I later found that Squidoo actually had a forum and then I posted it there too. As I couldn't reveal how I did it, I instead offered to hack the lenses of those who gave me permission:
Because of the risk of abuse of this exploit, I will not publish any details on how I managed to do this until after Squidoo has resolved the issue. Instead, in order to prove my claim, people with a Squidoo lens can mail me and ask me to add a short text to their Lens. This is how it will work:
- Edit your lens, and add the test "Hack me Samy" anywhere in the top portion of your page. This proves to me that you gave me permission to edit your lens and that it actually belongs to you. (unless of course you hacked it).
- Add the URL of your lens to the Digg story, the Squidu forum or mail it to me.
- I will add the text "Samy is my hero again" after that line.
- Please leave the change so I can add the URL to the list below as proof.
Only one person, Marco Casteleijn gave me permission to hack his lens:
As the issue has been resolved I can safely publish a full screenshot on which you can see how simply typing in the confirmation URL led to being logged in:
p.s. "Samy is my hero again" is a tribute to Samy's MySpace exploit. He did cross the line by altering other people's stuff.