Jump to content
Sign in to follow this  
TeMerc

F-Secure Find Exploits At Social Enginerring Sites

Recommended Posts

TeMerc
Web Application Worms exploit persistent Cross Site Scripting (XSS) vulnerabilities in websites. It's a new category of malware and it's a growing concern for popular websites. Social Networking sites seem to be the most popular target as of now. MySpace has already been hit by two such worms - the Samy worm in October last year and last week's Flash worm. Samy was written by a guy who wanted to become popular on MySpace. So he designed the worm to crawl through the site while furiously adding people to his friends list. The result: over a million "friends" in a couple of hours. Last week's worm exploited a vulnerability in Macromedia Flash to redirect MySpace users to an objectionable webpage.Last week MySpace was also the target of a malicious banner advertisement that ran on the site. It used the WMF vulnerability in Windows to serve adware to more than a million users with unpatched machines.All this piqued our interest and we decided to see how secure other popular social networking sites are against "wormable" XSS vulnerabilities. We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities.Something to consider: The WMF banner ad successfully reached about one million users. An automated worm utilizing a similarly malicious WMF exploit or a similar browser expoit (maybe even a 0-day exploit) could potentially reach a much, much larger audience of unpatched machines. Theoretically, this could be the entire user base...Recommendations -
  • 1. End users need to patch their machines. There's no excuse not to.2. Web application developers must start taking security seriously. Yes, XSS issues are silly, easy to find and omnipresent. And XSS issues have stopped being funny for a long time now. They are a real danger with the advent of Phishing and Web Application worms that exploit a mass user base of millions of users within a very short time.

Of course, we have reported the issues to the affected websites and are working with them to get the issues fixed. And, of course, we aren't taking any names here.

F-Secure Blog

Share this post


Link to post
Share on other sites
Scot

Very interesting stuff. You know that Cross Site Scripting appears to be what we were hit with here early in July. There are many forms and variations. Social Networking sites are the cutting edge for these kind of attacks. Any site with a MySQL database is also potentially vulnerable to an SQL Injection. We may have been the victim of both things. We haven't found anything questionable in the database. but it's getting to be that any site that has user-to-user interaction on the Internet needs a resident security expert or three and fast-acting admins to stay ahead of the game.Security is quickly becoming the bane of computing existence. One day we may look back at the Free Computing era of the late 1980s and 1990s with nostalgia -- even though they were filled with DOS, Windows 3, Windows 95, and Windows 98.-- Scot

Share this post


Link to post
Share on other sites
Peachy

You know, Oracle recently release Oracle 10g XE (Express Edition). It's free and could server as replacement for MySQL if one were wanting a secure web application. The code is still closed source so it would be very difficult to hack. Unfortunately, I don't think forum software such as IPB is configured to run with Oracle though.

Share this post


Link to post
Share on other sites
Temmu

and oracle's implementation of sql is just one-off enough to cause new users of it to learn another dialect: oracle's.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...