I have discovered a serious flaw in the Nick.com Children's TV Site's
message boards.

Information: Nick.com is a website for Kids whom watch the Nickelodeon
cable channel. They offer a message board area that's moderated heavily
to try to make it one of the safest areas on the net.

Vulnerability: When you create a user and log in to their message board
system (powered by PeopleLink), a JavaScript window pops up with the
forum selection and main content inside. This doesn't work too well with
window resizing/scrolling in Mac OS X (my OS of choice) so I chose to
open the JavaScript's html contents in a new window. This helped the
problem, but reviled a major flaw in their user identification system.
The URL is formed like this:
http://plnk.peoplelink.com/plnk/nickelodeon/boards40/frame.cfm?handle=ANY_USERNAME_HERE&
intgroup=100000910

Handle means the Username of the poster. "intgroup" is the Forum/Message
ID. You can change the "handle" part of the URL to _ANY_ name, including
already registered names. You then can post as any username. However,
all messages take up to 24 hours to be "approved," but if the message is
"clean," it usually will be approved, even if the name is fake. This
has been tested. It was obvious that this was hidden in a JavaScript
popup to probably cover this flaw.

I have contacted the webmaster and the domain's whois contact (which
bounced back). Today the site announced a fix which would take place
Monday:

Fix: Nick.com forum moderators have confirmed they will be switching to
a new message board system this coming Monday, and leaving all former
data behind. This appears to be due to the problem I discovered, however
I was never contacted directly to confirm this.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]