Zynga fixes a XSS vulnerability

Farmville and Cityville, both popular games in social networks, were created by the company Zynga which has a yearly turnover of 850 Mio. USD. The company has, like many big companies, also a Hall of Fame where it thanks the security researchers for their help to report security threats in their onlinegames or webapplications.

Our team discovered a Cross Site-Scripting issue in the domain: investor.zynga.com. Users have the possibility to share the website over social networks. Therefore user-controllable parts of the url are passed as a parameter to a javascript function.

The links are all created like this:

URL: http://investor.zynga.com/events.cfm
Created link: <a href="/events.cfm?sh_email=yes" onclick="sh_popup('/events.cfm?sh_email=yes',500,545);return false;" rel="nofollow"><img src="/common/images/clear_email.gif" border="0" alt="Email" title="Email"></a>

To trigger a XSS when you click on the share button, we just had to add a new parameter to the url:

URL: http://investor.zynga.com/events.cfm?foo=bar'+alert(/XSS/)+'
Created link: <a href="/events.cfm?sh_print=yes&foo=bar'+alert(/XSS/)+'" onclick="sh_popup('/events.cfm?sh_print=yes&foo=bar'+alert(/XSS/)+'',675,600);return false;" rel="nofollow"><img src="/common/images/clear_print.gif" border="0" alt="Print" title="Print"></a>

After appending the “foo” parameter with our XSS-exploit to the url, we were able to add own javascript code to the executed function in the eventlistener. Obviously it was possible to execute any kind of javascript - code. Unfortunately, user interaction is required to trigger this xss.

We informed Zyngas security team at the 6th of april 2013.They anwsered two weeks later and told us that the XSS was not exploitable. We had to admit that this was true in this case, because an over-styled “h1”-tag rendered the share buttons unclickable. But there was a solution to this problem: Just find another website without an over-styled “h1”-tag :)

URL: http://investor.zynga.com/releasedetail.cfm?ReleaseID=658729&xss='+alert(/XSS/)+'

This was the final exploit and the validation of this issue was made within the next week. Additionally we were asked for some details for the hall of fame entry.

Ten days later the XSS issue was finally fixed.

Team of internetwache.org

Screenshot of the Cross Site-Scripting vulnerability at zynga.com