According to a message he sent to Prosper, "Your member profile and listing pages are likely open to cross site scripting (XSS) attacks and other hacks at the moment. You can take a look at my profile and current listing to see that I did some light CSS tweaking to customize those pages. I didn’t test any potentially malicious stuff since this is a financial site."
Previously GettoWebmaster found vulnerabilities in the popular HotOrNot dating site. At that time he reported the vulnerabilities on HotOrNot could:
- Auto-redirect all visitors to my profile to the url of my choosing.
- Render the entire page blank.
- Replace the entire profile with an image of the profile which was linked to the url of my choosing. etc, etc, etc…
When borrowers create a new listing they have the option to edit the source html of the loan description as shown below. This is where the vulnerabilities were apparently introduced.
A discussion about the ninja listing can be found on the prospsers.org forums. It looks like Prosper needs that new software engineer ASAP.