BUG: XSS Security flaw in BaseCamp Messages

Sep 4, 2007 1:09am

Joe Cincotta 9 posts

We stumbled upon this by accident -

a client of ours posted some tracking pixel code for an advertiser network in to a message which was a brief for a developer. The developer went to view the brief (Message) and could not see the code example, without any warning to the end user it accepted the HTML script and used it verbatim (as HTML) when rendering it back to the recipient.

Accepting raw HTML in messages which are publicly availble to other people in this manner is extremely dangerous, especially considering BaseCamp would be a prime target for corporates.

Sep 4, 2007 2:26pm

Sarah Hatter Administrator 357 posts

Basecamp intentionally allows HTML (and JavaScript) because many of our users find great value in being able to use that. We’re full aware that this allows for XSS attacks, but Basecamp is based on the notion of trusted parties. You should only allow people into the system that you believe won’t hack your system (just as you should only invite people into your office that you don’t believe will steal from you).

If this was a public system, it would definitely be different. You can’t have a public forum today without carefully dealing with XSS issues.

Sep 4, 2007 3:48pm

clohroff 42 posts

But you fail to account for the fact that a friend can become a foe. If I invite someone to my office and later realize that they are not “friendly” I can change my locks. If I understand the problem (and it’s possible that I don’t) then only way to keep someone out that knows your URL is to change the URL, which then requires that I notify everyone including customers of the change. Your response sounds like a rationalization. To assume a “trusted party” relationship with any data online is at best short sighted and at worst irresponsible.

Sep 4, 2007 4:58pm

David Heinem... Administrator 255 posts

If your friend becomes a foe, you can revoke their account and change your login credentials. Just like you would simply not let them into your office.

In the 3+ years we’ve operated Basecamp, we’ve never had a single such case occur, though. So it doesn’t seem like it’s a big problem. And I know many of our customers would scream murder if we removed the option to use HTML in their messages, as they’ve become accustomed to over the past 3+ years.

Sep 4, 2007 5:51pm

clohroff 42 posts

Thanks for clarifying. I misunderstood the original post. I thought it was indicating that you could use this method without having to login.

Now I’m curious… how exactly do I use this feature? Can someone point me to a thread in the forums that talks about this?

Sep 4, 2007 1:09am Joe Cincotta 9 posts	We stumbled upon this by accident - a client of ours posted some tracking pixel code for an advertiser network in to a message which was a brief for a developer. The developer went to view the brief (Message) and could not see the code example, without any warning to the end user it accepted the HTML script and used it verbatim (as HTML) when rendering it back to the recipient. Accepting raw HTML in messages which are publicly availble to other people in this manner is extremely dangerous, especially considering BaseCamp would be a prime target for corporates.

Sep 4, 2007 2:26pm Sarah Hatter Administrator 357 posts	Basecamp intentionally allows HTML (and JavaScript) because many of our users find great value in being able to use that. We’re full aware that this allows for XSS attacks, but Basecamp is based on the notion of trusted parties. You should only allow people into the system that you believe won’t hack your system (just as you should only invite people into your office that you don’t believe will steal from you). If this was a public system, it would definitely be different. You can’t have a public forum today without carefully dealing with XSS issues.

Sep 4, 2007 3:48pm clohroff 42 posts	But you fail to account for the fact that a friend can become a foe. If I invite someone to my office and later realize that they are not “friendly” I can change my locks. If I understand the problem (and it’s possible that I don’t) then only way to keep someone out that knows your URL is to change the URL, which then requires that I notify everyone including customers of the change. Your response sounds like a rationalization. To assume a “trusted party” relationship with any data online is at best short sighted and at worst irresponsible.

Sep 4, 2007 4:58pm David Heinem... Administrator 255 posts	If your friend becomes a foe, you can revoke their account and change your login credentials. Just like you would simply not let them into your office. In the 3+ years we’ve operated Basecamp, we’ve never had a single such case occur, though. So it doesn’t seem like it’s a big problem. And I know many of our customers would scream murder if we removed the option to use HTML in their messages, as they’ve become accustomed to over the past 3+ years.

Sep 4, 2007 5:51pm clohroff 42 posts	Thanks for clarifying. I misunderstood the original post. I thought it was indicating that you could use this method without having to login. Now I’m curious… how exactly do I use this feature? Can someone point me to a thread in the forums that talks about this?
	Signup or login to post a reply.

Basecamp Customer Forum

BUG: XSS Security flaw in BaseCamp Messages