Friday, March 7, 2008

Ninja Stealths Prosper, Prosper Responds

As Tom over a Prosper Lending Review has noted, a ninja has managed to spot a CSS vulnerability in Prosper's website. Prosper has provided an official reply to this:

We were contacted by this blogger about this vulnerability in Prosper’s site on February 15, 2008. Since we were contacted, we have made the code change that will eliminate this vulnerability; although it has not yet been rolled out (a release is expected this weekend). We appreciate the blogger’s help in finding these vulnerabilities.

XSS attacks can introduce significant security issues. We are investigating right now whether this kind of attack can actually do anything malicious on the Prosper site (many security mechanisms are already in place). Nonetheless, there are no known cases of hackers exploiting these vulnerabilities to date. As I mentioned, we are planning to release a fix shortly.

Discussions will probably continue on the forum (reg required - sorry)...

Update: I'll note that it looks like the security hole is already closed, but that could be my version of Firefox.

Update 2: Revised Prosper response

No comments: