Yo!
Today I'm writing an Article, about Security. May you noticed that Habbo is writing News about changing your Password and that you need a secure password. But this can't be the reason if Habbo itself is insecure!
Habbo actually has a XSS security hole, so people could steal your SESSIONID and can login without of knowing your password!
This is the XSS hole to just display a Alert window, but it could steal your sessions!
Thanks to Imadj and Nova for this Image!
Beware of clicking suspicious links, even if they're from Habbo Hotel!
- Imadj
10 replies on “Beware your Passwords!”
Lol fail...
Thats is not "dangerous" for the accounts, since the session is not saved in habbohotel.xx/iot/go :) but yes in habbo.xx
--
Bienvenue :D
Was für eine Ironie! Köstlich!
Der der selbst an unzähligen Diebeszügen im deutschen und schweizerischem Habbo Hotel beteiligt, genau durch solche eine XSS Lücke war, warnt gerade höchst Persönlich selber andere User vor möglichen Übergriffen. Woher kommt bei dir der plötzliche Sinneswandel? Schlechtes Gewissen? :)
why are you still here imadj all youre articles have been useless
@German Guest:
Please talk english ;)
Why should i not warn :P
@Guest below:
Cuz your are useless :D
@Bienvenue:
Since Habbo failed again, there are maybe more then this one :P
Useless ive been hacked and stuff habbo, they never do anything about it!
translation in english (@german) just google translate
What an irony! Delicious!
The thieves, who himself participated in numerous features in the German and Swiss Habbo Hotel, was precisely through such an XSS vulnerability alerts, just very personally own other users from potential attacks. Where did you at the sudden change of heart? Guilty conscience?
No, Imadj, he's right. You should really check into your "OMG EXPLOIT SHITS GON DOWN!12121!!!1021" posts, this XSS hole only effects the '*.habbohotel.tld/*' subset, not '*.habbo.tld/*' subset, which JSESSIONID cookies are saved under. It could be used to like, load a JS Shell or something, but so could virtually any other URL. Hell, javascript:<code> wrapped with tinyurl could do more damage than this.
[quote=A262]
Theres another XSS on habbo.TLD. So, why not just warn ppl if the're XSS holes on habbo?
É agora vai acabar isso, vai ser só com o e-mail.
Now it's end, you can login with e-mail.
--
H24