A very popular online-translator in other languages is dict.cc. In everyday use, we found a cross-site scripting (XSS) vulnerability in the login function which we reported to the responible developer.

Ifixit.com is very popular for geeks who are interested in hardware stuff. On the website you are able to inform yourself about diffrent devices and the possiblity to fix things which are broken on your own. So you are able to safe money and time without the device. For users who are interested in hardware this website is worth a visit, because you can learn a lot about hardware. On the website of ifixit next to the forum is also a small onlineshop were you can buy things like hardware tools. We discovered two csrfs, which affected the cart. The csrf-token was not validated correctly, so an attacker would be able to add his own products to other users cart unnoticed or remove others.

We send an email to the security team in the 21th march 2013 and get an answer 5 hours later, that the issue get verified. We were told, that they changed to Varnish (a tool for the coaching of html-files), to reduce the serverload. So every csrf token of a logged-out user was the same, there was no correct validation.

But they perceive that this is not a good idea for a productpage, so they promised to fix it. In the same mail we were asked how we want to get listed on the responsible disclosure and for the address to send a small thank you gift. We send them the information and after small delivery problems we got a ifixit-t-shirt and a small toolkit. We say thank you for the nice communication and the gift,

The team of internetwache.org

Farmville and Cityville, both popular games in social networks, were created by the company Zynga which has a yearly turnover of 850 Mio. USD. The company has, like many big companies, also a Hall of Fame where it thanks the security researchers for their help to report security threats in their onlinegames or webapplications.

“Lastpass” is a website which offers the user a safe and easy way to secure their passwords. The service can be used on every system and there are also existing plugins for every type of browsers, so the service can be used really easy.

Uberspace is a web-hosting company with a special offer. Instead of selling boring “webpanels” they’re offering direct access via SSH. Another cool thing is that you can choose the price you want to pay for the service and the really epic support. That’s why we’re hosting our website (internetwache.org) on their systems.

We found an XSS in the “language” parameter. The susceptible domain was “freeriatools.adobe.com” where you have the opportunity to download some software.

“Tedi” is the name of a big discounter (about 1300 shops) in Germany. Like every normal company, “Tedi” maintains a website on which they inform their customers about the newest offers and/or opening hours for example.

With over 83.000 registered users and about 35.000.000 uploaded pictures abload.de is one of the biggest hoster for pictures in Germany. The service is online since 2006 and is very popular because of its usability and a big selection of options to modify the uploaded picture (image resizing, advanced options, etc.). Often those popular webapplications are in the scope of criminals who are interested in the userdata.

Paypal is a well known company that is used for quick payment transactions. Because of this vunereablities on their webpage are especially sensitive. During our leisure time we found a couple of potential dangerous security issues.

A couple of days ago meraki.com started a Bug-Bounty programm. We hoped with a bit of luck to be able to discover a couple of vunerabilities.