Cool Pictures All Categories
Internet Videos [ 576 x RSS ]
Front Page [ 118 x RSS ]
Cool Pictures [ 57 x RSS ]
Cool Sites [ 55 x RSS ]
Video Tutorial [ 19 x RSS ]
My Websites
Learn to Play Songs by Ear: Ear Training
Best of The Internet
Free Video Tutorials
Best of Youtube
Use Google to Download mp3s
Free Quiz Creator
Online Education
Poetry
Famous Poetry
Printable Sheet Music
JimmyR on Youtube
Free Movies Online

Last Updated 166/365 of 2006

Del.icio.us Query String Hack

Links Added With No Confirmation

If a person is logged in to Del.icio.us, a questionable query can add links automatically to their Del.icio.us library without any confirm prompt or asking to fill out tag, description and notes. The site needs only the persons Del.icio.us username.



Questionable Query String Example
http://del.icio.us/usrhere?tags=foo&description=foo&url=http://www.example.com/¬es=foo

Proof

I've tested a bulk add script on 3 accounts JimmyRuska EliteSkills and my main account JimmyRcom. If you don't believe it can work in bulk, see an example. Login, type your username, and this script will add 80 of my blogs to your account using iframes and only javascript. Again, this has a lot of potential to be used maliciously, but a lot of potential to be used in cool creative ways.

Contact

Yes I have contacted del.icio.us to inform them.

Bad Usage

Good Usage

Test it for yourself

Just change the usrhere to your username in the above example. It will go to example.com, but, it will also have added it to your Del.icio.us account page without any prompt. This means, that given the username, and given the person is logged in, a malicious person can add a ton of links to archive without them knowing. They just replace url= field with their site, and modify the other information accodingly.

Don't Believe me?

Login to delicious. Type in your username in the form below. Click change. Click the link.



Let me add JimmyR Blog without Prompting to Save

Del.icio.us Username:

How could it be exploited?

The above demonstrates the proper way to use this code. Bad sites can open many of those links at the same time on the same page as embedded frames or popups. For example, you give your username, you click submit, the page loads, and now you have 200 of their links in your Del.icio.us page.

First off the malicious site needs to get your username. They can likely do so tricking you into thinking they offer some kind of service like exporting all your links in some format (txt, pdf, firefox compatible, excel,etc)

Next the site needs to open the malicious url, which they modify, adding their pages in the &url= part of the query and your username where it says usrhere.

This can be exploited in several ways. For example, a person can have a javascript array of all the page listing they want added to that persons' Del.icio.us, then just make a frames page with a 1x1 frame that automatically redirects through the list of their pages, using the malicious URL as a base every 2 or 3 seconds, all the while having a normal looking page.

Another less conspicuous way is simply to have a javascript loop that opens popup windows. Since there's so many popup blockers now days, that's probably a bad idea.

The person can be messy and lazy by just adding a ton of iframes each with a unique malicious URL. After each one loads, each link is loaded to their book marks.

Legal?

I'm not sure if this is even a hack, but it definitely can be exploited by malicious people. For now, I use it to add all my blog's pages to my delicious automatically. It's important to protect your username as much as your password in this case, something most people are unlikely to think about. A site offering services like printing out all your Del.icio.us links in excel, exporting to firefox, or making them a pdf could very well likely be fake, and just shove a ton of their URLs on you, getting more traffic from Del.icio.us' most popular list.

This can also be useful in user based sites. Having the person click the "add to del.icio.us" on any page then having the page automatically add itself is just convenient. An option can even be given to the user for those who want to add the details themselves, or have the "malicious" code add the code for them.

How I found?

I was originally looking for a faster way for users to tag my site, and possibly fill out tagging info for them. I used the questionable url modification to add all the pages of my blog dynamically onto my delicious page.

Table 'jimmyr.comments' doesn't exist