Hey guys, I just found an XSS in Habbo, it's persistent. I've reported it to Habbo but as always there is no reply. I'm wondering what to do?

If you're wondering what this is: XSS is a cross site script, I can basically upload anything to that page. A java driveby a HTML deface page or anything else.

I think I might end up selling this.

What are your thoughts?

Thread moved here by Martin (Forum Moderator): From 'Habbo In General' as its more suited here.

Um. If only that made sense..

If you reported it to Habbo why the hell would you sell it? Surely you'd get in trouble because of distribution.

Maybe be patient with Habbo mods, expect a delay.

When did you report it? You could always tweet them and ask if there is a way to contact them directly.

http://www.sulake.com/contact/sulake-tweeters/

I've not got a clue what this means, can you give us a more detailed example?

Even if you did find one, posting on this forum and then selling it is going to get you in a whole load of legal trouble (I'm sure Habbox would love to help Sulake in tracking you down). E-Mail them and forget about it.

All I heard was script, java and sell. Me no understand :S

Tweet it to Paul, or just let it die. Legal battles with multi million / billion companys would not go down well on a cv

An XSS exploit can allow one to steal Habbo accounts and gain user information when used right this is. If I'm not mistaken this stuff is pretty lethal, I've recently look at "HF" (keeping it short to not cause a stir) and you're from there I think, you'll get into some deep issues if you try and sell this, personally I'd use it until they patch it or bribe them with it, for example: "I'll tell you the new XSS exploit in exchange for ______" if they ask for the information first just say to them that if you aren't given what you want you'll use it. I'm not saying cause any issues but be very careful with what you do with it, Habbox does not promote "hacking" so I'd avoid posting it here.

i can take care of this.

When did the sulake staff get here :O. Nice one.

Thanks for the break down Breeze however I think it could be dangerous to bribe too.

Hey guys, I just found an XSS in Habbo, it's persistent. I've reported it to Habbo but as always there is no reply. I'm wondering what to do?

What are your thoughts?

You should give it to me... not sell it to me, just give it to me so I can try and do something creative with it (Assuming it's a full XSS exploit that allows code etc and not a minor one that just allows HTML like most are) before Sulake patch it... since you've already told them about it...
- Alex (Shenk).

Edited by Chris (Forum Super Moderator): Please do not abuse moderator features!

no idea what xss is but yeah, i would sell it you will gett in so much ****

i can take care of this.

Here comes Mr.Killjoy, noobdoob give it to Alex/Vito/Shenk, he knows what to do with it.

Okay, I'll see what I can do.*REMOVED*

The so called Habbo staff contacted me. I haven't reported it yet, until I get with a settlement with them. They've been a ***** to me lately.

---------- Post added 19-03-2012 at 04:50 PM ----------

This is a good example why I shouldn't give them the XSS. I've wrote them in clear English and explained the situation.

Thank you for contacting Habbo.

Unfortunately we are unable to assist you as we could not understand your query. Please reply with a longer explanation of your problem, in clear English, so that we can provide you with support.

Edited by Martin (Forum Moderator): Please do not be rude towards other forum members!

So you now get a "settlement" for threatning to hack and release users data, what is this business coming to

Okay, I'll see what I can do.*REMOVED*
The so called Habbo staff contacted me. I haven't reported it yet, until I get with a settlement with them. They've been a ***** to me lately.

---------- Post added 19-03-2012 at 04:50 PM ----------

This is a good example why I shouldn't give them the XSS. I've wrote them in clear English and explained the situation.

Thank you for contacting Habbo.

Unfortunately we are unable to assist you as we could not understand your query. Please reply with a longer explanation of your problem, in clear English, so that we can provide you with support.

Lmao, guessing you had katharina? Said the exact same to me. Stupid dkfjdkfd


So you now get a "settlement" for threatning to hack and release users data, what is this business coming to

Yea but they seem to be rewarding a lot of hackers who pass on security exploits with names and stuff :rolleyes:

It's not like I've hacked Habbo. I just want a reward for my hard work. That's all.

Here comes Mr.Killjoy, @noobdoob (http://www.habboxforum.com/member.php?u=97186) give it to Alex/Vito/Shenk, he knows what to do with it.
How on earth is he being a killjoy? He's doing his job. How can you endorse and encourage hacking? :rolleyes: I'm surprised this thread is still open tbh...


Okay, I'll see what I can do. *REMOVED*
The so called Habbo staff contacted me. I haven't reported it yet, until I get with a settlement with them. They've been a ***** to me lately.

---------- Post added 19-03-2012 at 04:50 PM ----------

This is a good example why I shouldn't give them the XSS. I've wrote them in clear English and explained the situation.

Thank you for contacting Habbo.

Unfortunately we are unable to assist you as we could not understand your query. Please reply with a longer explanation of your problem, in clear English, so that we can provide you with support.
Stop being so childish. I can't believe people in this thread have the cheek to ask for a "settlement" and endorse / encourage hacking. You're not important or special just because you know something, so stop acting so pretentious. Sulake is a multi-million dollar company, so you'd be stupid to think you'd get your own way. I take it you've been a member of Habbo for a good few years: they've provided you with hours of entertainment, yet you still feel the need to test their limits. The lack of respect for Habbo in this thread is crazy.

They've never treated me well. I'm not being an attention *****, I'm just asking what to do. They banned me for the following reason "Intention of scamming" Do you think that's a good enough reason to permanently ban someone? I'm not threatening to hack anyone, if they really were such a good company, they'd fix there ticket system first. I'm not encouraging hacking, I found an glitch/bug/exploit in there system.

Please do not come in here making accusations, I'm not disrespecting Habbo, I'm just showing them how bad there service is. I've worked hard to find that bug, I'm not just giving it away without being accredited for it.

How on earth is he being a killjoy? He's doing his job. How can you endorse and encourage hacking? :rolleyes: I'm surprised this thread is still open tbh...


Stop being so childish. I can't believe people in this thread have the cheek to ask for a "settlement" and endorse / encourage hacking. You're not important or special just because you know something, so stop acting so pretentious. Sulake is a multi-million dollar company, so you'd be stupid to think you'd get your own way. I take it you've been a member of Habbo for a good few years: they've provided you with hours of entertainment, yet you still feel the need to test their limits. The lack of respect for Habbo in this thread is crazy.

Never had so much respect for 1 person^

You all really need to read that point. It's ridiculous how so many of you are whining about the entirety of Habbo - fair dos, I've complained before about certain features - but I haven't complained about Sulake purely because they are trying to ensure that they protect their "website"? And as Mathew has mentioned, because you know something related to hacking it does not make you "amazing". I laugh at groups like anonymous who think their hacking is "funny" yet "justifiable" - when 1) No it's not funny, it's just incredibly stupid and basically a child's game (IN MOST CASES) - "oh look at me damaging this site ahahahahah" - even worse than people laughing at the word "sex". 2) No it's not justifiable at all - anyone who says it is is talking *******. If you're talking about "genuine" jobs which require hacking - that's a completely different issue.

As Mathew also picked up on - asking for a settlement is just ridiculous.

*removed* 1) You said you'd contacted the moderators/customer support about the issue 2) You then post it on a HABBO fansite 3) You then tell us that you might sell it? A sulake staff member has seen this thread - I don't think you'd dare try it after you've revealed it to a number of sources. If you do... good luck.

Also: You seem to be quick to complain about Sulake's services? Yet you've used them in the past and still do now to find potential "faults". If you really had a brain, then you would realise that Sulake are providing the service for you to **** about with (although they don't encourage it obviously). Without sulake, you wouldn't be doing any of this on "Habbo" because it wouldn't be here.

Edited by SyrupyMonkey (Assistant General Manager (Staff)): Please do not be rude to other members.

I've reported it, that's true. Did you see the reply I got? Asking for a settlement is not ridiculous, why? At least I'm doing a better job than the people who actually coded the website. I've posted it here, because this is supposedly the largest Habbo fansite. I've played Habbo when I was young (2-3 years ago) they banned me, I was frustrated. I decided to take a look at there site after a bit and I found this XSS. I'm asking for a settlement, not going to give away my work like that. I'm not whining about there security, you might consider it a rant at there system, which is a complete ****hole. How the hell can you know some one's intentions? I've never played Habbo for the fun, only when I was a child. You obviously don't know anything about the system, nor do you know anything about the way Sulake works. If you had a brain, you'd know that no company provides you a service for the customer to **** about with.

I've reported it, that's true. Did you see the reply I got? Asking for a settlement is not ridiculous, why? At least I'm doing a better job than the people who actually coded the website. I've posted it here, because this is supposedly the largest Habbo fansite. I've played Habbo when I was young (2-3 years ago) they banned me, I was frustrated. I decided to take a look at there site after a bit and I found this XSS. I'm asking for a settlement, not going to give away my work like that. I'm not whining about there security, you might consider it a rant at there system, which is a complete ****hole. How the hell can you know some one's intentions? I've never played Habbo for the fun, only when I was a child. You obviously don't know anything about the system, nor do you know anything about the way Sulake works. If you had a brain, you'd know that no company provides you a service for the customer to **** about with.

Bold - Me'; "If you really had a brain, then you would realise that Sulake are providing the service for you to **** about with (although they don't encourage it obviously)." As I was trying to say - the service you are ******* about with, was provided by Sulake themselves. And I did clearly state they don't want you to do that x.x

Yes, fair enough customer support is known for being **** at times - but as other people have CLEARLY asked you to do, you could have easily tweeted one of the staff members? And an official Sulake staff member did comment on this thread so your excuse that 'you should stop reporting it because they're not doing anything' is absolute ******** - customer support isn't the only way to get through to Sulake you know.

Not the most recommended way either, but they do have a contact page for the office "closest" to your language :rolleyes: : http://www.sulake.com/contact/local-offices/.

They banned you and you were frustrated? If you're saying that was a good reason to find this XSS then that's pathetic. So many people get banned, sure a few are bound to get angry and might "seek revenge" in some very basic way. But trying to find security issues in their site PURELY because you received a ban is just stupid.

I don't care if you think you're doing a "better job" because, to be quite frank, we're all human at the end of the day and you can't blame someone for making a mistake here and there. Heck, even big companies have faults in them - I believe it was the PS3 network that got hacked? (not entirely sure of that) and they're worth more than Sulake and have been around for longer. Considering that Sulake has only had a few major hacks (e.g. Finch-HIMself in it's time (12 yrs nearly), they've done pretty well.

Please go make another service as good as Sulake's standards if you're so exceptional at coding.

They've never treated me well. I'm not being an attention *****, I'm just asking what to do. They banned me for the following reason "Intention of scamming" Do you think that's a good enough reason to permanently ban someone? I'm not threatening to hack anyone, if they really were such a good company, they'd fix there ticket system first. I'm not encouraging hacking, I found an glitch/bug/exploit in there system.

Please do not come in here making accusations, I'm not disrespecting Habbo, I'm just showing them how bad there service is. I've worked hard to find that bug, I'm not just giving it away without being accredited for it.
We've told you that you can contact a large number of Habbo Staff on Twitter. If this loophole is as detrimental as you make out, then I'm sure they'd like to know about it in any way that they can. Twitter. Facebook. Habbo Support. PM the Sulake Staff (on the previous page) on HabboxForum. I do agree that the response you got on the Support tool is pretty poor, but you have been approached by a Sulake staff in this thread and Paul LaFontaine himself can be easily found on Twitter. Don't give up until you get a reply, because that's just being daft! :P

What sort of credit are you looking for? I highly doubt they'll create a news article with your photograph in, but they'd be rude not to say a quick thanks! :)


I've reported it, that's true. Did you see the reply I got? Asking for a settlement is not ridiculous, why? At least I'm doing a better job than the people who actually coded the website. I've posted it here, because this is supposedly the largest Habbo fansite. I've played Habbo when I was young (2-3 years ago) they banned me, I was frustrated. I decided to take a look at there site after a bit and I found this XSS. I'm asking for a settlement, not going to give away my work like that. I'm not whining about there security, you might consider it a rant at there system, which is a complete ****hole. How the hell can you know some one's intentions? I've never played Habbo for the fun, only when I was a child. You obviously don't know anything about the system, nor do you know anything about the way Sulake works. If you had a brain, you'd know that no company provides you a service for the customer to **** about with.
Quite a large claim that you're doing a better job than those who code the website - everyone makes the odd mistake so it's nothing new. You might have a slight point though: let's be honest... Habbo has been flooded with loopholes and hacks ever since it opened, and I do actually think that it has quite a shaky history. Threatening to sell or looking for credit is quite childish though, and I'd hope that someone as "skilled" as you would do it for the Habbo community as opposed to personal gain.

I've never said I'm exceptional in coding, I've never said I've tried to find an XSS in there system because of a ban. I was just getting some stuff straight. A multi-million dollar company should have a better customer service than that, you're paying for a service (when buying credits or so) you should receive more than you expect.

I've learned XSS 3 days ago, and I thought why not check Habbo. I might be a bit of an attention seeker by posting this thread, and I'm sorry. I don't think I'm doing a better check, I mean every company has flaws. I'm just stating the way they treated me when I tried to report something. No reply, "didn't understand what I said".

I'm sorry to break this to you, but Sulake has had it's database leaked more than 3 times this year only. Over 7 MOD accounts have been accessed. I know some people that currently have the Habbo database that was acquired from the Helptool tickets. The Habbo NO has had it's database leaked publicly.

I don't have the time to make a Twitter account, nor can I contact them at there offices as I live far away.

EDIT: I'm not going to sell it, don't worry that was a childish act, I'm aware of that, and I feel pathetic. Sorry. Just a little acknowledgement would be great. Would be nice for my CV if I want to enter a good college for computer security, as I'm only 15 years old.

I'm also not convinced that the person that approached me is from Sulake themselves, because I asked him to proove he was from Sulake but untill now I have had no replies. He might be from Sulake, but I'm just being precautious. I'll release the XSS to public when it's patched. At the moment, I'm not sure how to contact them.

I've never said I'm exceptional in coding, I've never said I've tried to find an XSS in there system because of a ban. I was just getting some stuff straight. A multi-million dollar company should have a better customer service than that, you're paying for a service (when buying credits or so) you should receive more than you expect.

I've learned XSS 3 days ago, and I thought why not check Habbo. I might be a bit of an attention seeker by posting this thread, and I'm sorry. I don't think I'm doing a better check, I mean every company has flaws. I'm just stating the way they treated me when I tried to report something. No reply, "didn't understand what I said".

I'm sorry to break this to you, but Sulake has had it's database leaked more than 3 times this year only. Over 7 MOD accounts have been accessed. I know some people that currently have the Habbo database that was acquired from the Helptool tickets. The Habbo NO has had it's database leaked publicly.

I don't have the time to make a Twitter account, nor can I contact them at there offices as I live far away.

K, well I do empathise you with the issue regarding customer support. It's good in some departments, and absolutely **** at other departments - although it has been improving lately, as you've clearly demonstrated it is still not of a great standard. As Mathew said though, you'd just have to keep trying until you eventually get through to them (or at least get a decent customer service staff x.x). So yes, I can understand that you'd be quite pissed off by the reply you received.

Also - I completely forgot the Helptool was infiltrated (oops? :S), so you have a fair point there. Unfortunately, I don't know/haven't heard anything about the MOD accounts being accessed aha. And, I'm quite surprised that the Habbo.NO database was leaked - why am I not told/don't I discover this stuff ;//

Anyway - yes, you do seem very attention seeking in the first few posts. I can understand how you're completely ****** off with customer support but I just don't appreciate people who feel the need to take revenge to such an extent though. I'd just advise you not to sell it - as others have stated, I don't think you'd want a legal battle with Sulake.

Yeah, not going to reply to this thread anymore. Guess this was all just a big mis-understanding (sorta).

If you was contacted by the member of Sulake Staff posted in this thread then they are the real deal and do actually work for them. Although I'm not sure how you was contacted but yeah. I'm sure you will get a thanks just like Habbox/David did when we contacted them about something that needed fixing in the past.

Via the PM system.

Via the PM system.

Right ok, well they work for Sulake for that sure. I also know that they don't reply to PM's on this forum straight away so just have some patience.

No worries. I've contacted Doreen Lee. She's supposedly an admin working for Sulake.

They've never treated me well. I'm not being an attention *****, I'm just asking what to do. They banned me for the following reason "Intention of scamming" Do you think that's a good enough reason to permanently ban someone? I'm not threatening to hack anyone, if they really were such a good company, they'd fix there ticket system first. I'm not encouraging hacking, I found an glitch/bug/exploit in there system.

Please do not come in here making accusations, I'm not disrespecting Habbo, I'm just showing them how bad there service is. I've worked hard to find that bug, I'm not just giving it away without being accredited for it.

*Removed*

Edited by Martin (Forum Moderator): Please do not post to cause arguments

I wouldn't be suprised right now if wasn't even a exploit at all...

I just read this, and I haven't laughed quite hard in a while..

The childish nature of some 'Adult' or'mature' people is incredibly entertaining.
After reading it all, I am unsure he even has found a legit exploit since he is so hell bent onr eceiving a 'reward' or some recognition, if he was doing it purely for Sulake then the reward would be unnessecary would it not?

Greedy, Childish, Immature, Attention Seeking at its finest right here.

I don't personally think there are any code allowing XSS exploits inside the Habbo website... I know of a couple that allow simple HTML script such as images/fontchanges etc... but after using a few robotic XSS exploit detectors and coming back empty handed... I'd say it's rather unlikely.

*REMOVED*
- Alex (Shenk).

Edited by Zuth (Forum Moderator): Please do not break the Habbo Way!

Edited by Zuth (Forum Moderator): Please do not break the Habbo Way!

1.) I only need a webbrowser to use an XSS exploit - hardly 3rd party software,
2.) I haven't been given the exploit - thus haven't even done anything...
3.) It's not really disruption of the hotel to inject code into the main site? (Aka not the cleint)...

=/
- Alex (Shenk).

Ah, well I've patched one, found another one straight away.

What....

Use twitter to report it or use the contact tool, remember it takes them about a month to look at it because there client services are so bad ;)

settlement? 10 ducks and a hc plasto table do you?

Edited by xxMATTGxx (General Manager): Please do not post pointlessly.

It's really not out of the question to ask for a settlement for a persistent XSS 'bug', when it could, in theory, cause some real damage.

@OP, Don't sell it. Use your skills for good, don't damage the site.

You didn't "find this", it's on Shenk's site. Why lie to make friends?