Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Sometimes even the big boys get hit by little bugs

Sometimes even the big boys get hit by little bugs

by Majik on September 21st, 2001 Three leading Internet firms have fallen prey to a serious security bug identified more than 18 months ago.


America Online's [email protected] site, along with the portal for its ICQ instant messaging product, and Yahoo's site for users in France, have been identified as vulnerable to an attack known as cross-site scripting.





In February last year, a joint advisory about cross-site scripting was issued by the FBI's National Infrastructure Protection Center and the Computer Emergency Response Team (CERT).





The three vulnerable sites were all reported by different individuals in the past seven days to VulnWatch, a new security mailing list.





The search function on each of the vulnerable sites allows unauthorized users to inject HTML tags or scripts within the Uniform Resource Locator (URL) address of the site.





As a result, an attacker could, for example, trick Web surfers into clicking on what they believe is a safe link to a trusted source in an e-mail or Web page. In fact, the URL could contain scripts which steal data input by the user and send it back to the attacker, according to CERT's advisory.





Officials from the three affected sites were not available for comment this evening.





According to Cabezon Aurélien of the French security portal iSecureLabs.com, he reported the vulnerability in Yahoo's French site to the firm and it has corrected the flaw.





The flaw at ICQ.com was also still open, despite having been reported to the company Wednesday, according to Aurélien.





The vulnerability at [email protected], which was identified by Jon Britton, operator of a site called BreakWindows.com, was still exploitable this evening, based on tests by Newsbytes.





While Internet surfers can disable scripting in their browsers to protect against such attacks, CERT said the onus for correcting the problem falls on Web site developers.





"None of the solutions that Web users can take are complete solutions. In the end, it is up to Web page developers to modify their pages to eliminate these types of problems," said the CERT advisory.






Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »