A few weeks ago, M86 Security Labs discovered how to create a phishing page on RapidShare.com. As most of you probably know, RapidShare is one of the largest file sharing websites, with thousands of users worldwide.
While trying to download a file from RapidShare.com we encountered an error message indicating that the servers were busy.
We decided to test the error message and found that there is an improper input validation vulnerability in the “downloaderror” field.
Below is the original error message from RapidShare:
RapidShare.com Error message – Too many users downloading…
In the following screen, we see a fake phishing message that offers users the opportunity to buy a premium account for RapidShare:
RapidShare.com Fake Error message
A closer look:
For further information, see this demo link:
In addition, we can control all of the “downloaderror” fields. For example, the file folder (623624), the file name (test.avi), and of course the error message.
This type of improper input validation can help malicious attackers create phishing pages within RapidShare.com. A user that receives an email or a link to the malicious phishing page could unknowingly give away credit card information to the malicious attacker either by email or by a phone call.
We contacted RapidShare.com regarding this subject and received a response from the RapidShare Abuse team assuring us that they have fixed the issue.
[...] This post was mentioned on Twitter by Fakhri Me and Christiaan Rakowski, joviann . joviann said: RapidShare.com, The phishing begins… http://bit.ly/hBXOLt | M86 Security Blog [...]