Security Alert: Fetlife Vulnerability Exposes Sensitive Information

A recent vulnerability spotted in Fetlife, a social networking website that serves people interested- in fetishism, has been exploited in the wild, researchers found. However, the company claimed that the impact of the vulnerabilities on the FetLife platform is “non-existent”. 

The Fetlife vulnerability, identified as CVE-2023-25309, has exposed the platform to a potential exploit, allowing threat actors to gain unauthorized access to sensitive user information.

Categorized as a Cross-Site Scripting (XSS) flaw, the Fetlife vulnerability specifically affects the platform’s rollout-ui version 0.5. 

By leveraging a crafted URL designed to manipulate the “delete a feature” functionality, attackers can execute arbitrary code within the platform.

This malicious activity can enable threat actors to compromise user accounts, compromise personal information, and even perform unauthorized actions on behalf of unsuspecting users.

The vulnerability has been addressed and the user data and the profile information remain secure, a FetLife spokesperson told The Cyber Express.

“The vulnerability requires a user interaction: the attacker has to convince a victim to open a crafted URL and click a button on the page,” FetLife spokesperson said.

They further stated that, “Only a limited number of security-focused individuals have access to that page and they have no reason to follow these instructions from a third-party as they look suspicious.”

Fetlife vulnerability explained 

The severity of Fetlife vulnerability is rated high. When exploited, the Fetlife vulnerability can lead to significant harm, ranging from identity theft to reputational damage for individuals and the Fetlife platform itself. 

Heiko Webers from bauland42 discovered the Fetlife vulnerability, and his research found some dire consequences of this security flaw.

The vulnerable version, Rollout::UI v0.5, is an integral component of Fetlife’s infrastructure, serving as a minimalist UI for the rollout gem. It is designed to be mounted as a Rack app, enhancing the user experience within the platform. 

However, the flaw lies in the improper escaping of the feature’s name in the “Do you really want to delete ” confirmation dialog.

This oversight allows the execution of the XSS attack when the user clicks the “Delete” button, thereby enabling unauthorized code execution.

The XSS vulnerability in the rollout-ui repository has been addressed, and a new version of the library has been released, read the company’s official response to The Cyber Express. The users do not need to take any action as their data and profile information remain secure, they reiterated

Technical Analysis of Fetlife Vulnerability

To illustrate the severity of the Fetlife vulnerability, security experts have provided a proof of concept.

An unsuspecting user can trigger a JavaScript alert by simply clicking on a maliciously crafted URL, demonstrating the potential for unauthorized access to sensitive user data. 

In response to this critical issue, the security community has recommended an immediate solution. Fetlife must update Rollout::UI to the latest version, incorporating the necessary fixes to mitigate the Fetlife vulnerability.

Specifically, the suggested solution involves utilizing the branch available at https://github.com/fetlife/rollout-ui/pull/15. Fetlife must promptly prioritize this update to address the vulnerability and protect its users from potential exploitation.

As of now, the vendor has not officially accepted the proposed fix, raising concerns among the user base and the wider community.

What is Cross-Site Scripting (XSS) vulnerability?

Cross-Site Scripting (XSS) is a web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

It occurs when a web application does not properly validate or sanitize user input before including it in the output sent to the user’s browser. There are three main types of XSS vulnerabilities:

Stored XSS (Persistent XSS)

The malicious script is permanently stored on the target server and is served to users when they request a particular web page.

For example, an attacker might inject a script into a forum post, and when other users view that post, the script gets executed in their browsers.

Reflected XSS

In this case, the injected script is embedded in a URL or a form input, which is then reflected back to the user in the response from the server.

For instance, an attacker could craft a malicious link and send it to potential victims. The script is executed in their browser when the victim clicks on the link.

DOM-based XSS

This type of XSS occurs when the vulnerability is within a web page’s Document Object Model (DOM) rather than in the server’s response.

The attack involves manipulating the client-side JavaScript code responsible for modifying the web page’s structure or behavior. 

In conclusion, the recent discovery of the Fetlife vulnerability, marked by CVE-2023-25309, underscores the pressing need for heightened security measures.

The platform must immediately address the Cross-Site Scripting flaw in Rollout::UI version 0.5. By doing so, Fetlife can protect its users, preserve their trust, and contribute to the broader mission of creating a safer digital environment. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.