I have discovered a serious flaw in the Nick.com Children's TV Site's message boards. Information: Nick.com is a website for Kids whom watch the Nickelodeon cable channel. They offer a message board area that's moderated heavily to try to make it one of the safest areas on the net. Vulnerability: When you create a user and log in to their message board system (powered by PeopleLink), a JavaScript window pops up with the forum selection and main content inside. This doesn't work too well with window resizing/scrolling in Mac OS X (my OS of choice) so I chose to open the JavaScript's html contents in a new window. This helped the problem, but reviled a major flaw in their user identification system. The URL is formed like this: http://plnk.peoplelink.com/plnk/nickelodeon/boards40/frame.cfm?handle=ANY_USERNAME_HERE& intgroup=100000910 Handle means the Username of the poster. "intgroup" is the Forum/Message ID. You can change the "handle" part of the URL to _ANY_ name, including already registered names. You then can post as any username. However, all messages take up to 24 hours to be "approved," but if the message is "clean," it usually will be approved, even if the name is fake. This has been tested. It was obvious that this was hidden in a JavaScript popup to probably cover this flaw. I have contacted the webmaster and the domain's whois contact (which bounced back). Today the site announced a fix which would take place Monday: Fix: Nick.com forum moderators have confirmed they will be switching to a new message board system this coming Monday, and leaving all former data behind. This appears to be due to the problem I discovered, however I was never contacted directly to confirm this.
This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 15:14:09 PST