Today, I have discovered a vulnerability within klout.com.
This bug allows you to update other people’s stats, change their password, or their email.
The vulnerability is situated in the cookies.
To achieve the desired result, you must edit your cookies (through, for example, the firecookie plug-in for the firebug add-on for firefox)
One must then log in WITH “remember me” enabled.
Screenshot 1:
If you have firecookie open, you will now see your own username somewhere, you must change this to the username of your victim.
Screenshot 2:
Next, delete the PHPSESSID in your cookies, navigate to another page on klout, and then go to “My Profile”. You should then see that you are now logged in as your victim.
NOTE: This is merely a bug i discovered and am disclosing here. This is for educational purposes only and I will not be held responsible for any harm done. I will also as of this moment not answer any further questions about this disclosure.
Has u made contact to klout.com in order to inform this vulnerability before posting in this page?
Yes, i have contacted klout.com to inform them of this vulnerability
Sorry I didn’t post an update here, but we pushed out a fix to this vulnerability shortly after it was brought to our attention.
Kevin Olson
Klout.com
That’s great, and it was pretty fast fixed too!
It wasn’t a major security bug as, by my knowledge only really allowed you to update other people’s statuses, a bug is a bug!
good job