NYTimes.com XSS Vulnerability Allows Attacker to Post Fake Story
iSpeech
Sir Cumv3nt
Virtual Threat (Contributing Writer)
In this day and age we all depend heavily on the Internet and social networking to stay informed about important happenings around the world and in our own communities. What many people may not realize is the fact that there is a cyber war occurring beneath the covers of the Internet. In this war, unnamed entities are using digital methods to affect and manipulate the news sources that we so heavily rely upon. The list of players participating in such campaigns range from governments, to hactivists, to black hat hackers seeking financial gain.
I recently read an interesting, although frightening, story from March of 2011 about the patriot hacker who calls himself "The Jester" (th3j35t3r). In this story The Jester used an online attack to launch a psyops campaign against Libyan troops loyal to Muammar Gaddafi. Through a combination of social networking, URL shorteners, and a cross-site scripting (XSS) vulnerability, The Jester made it appear that valid articles had been posted to reputable news sites in Malta and Tripoli. These fake stories proclaimed Libyan troops were abandoning their posts and giving up the fight against rebel forces. The results of this attack are unknowable, but the idea of an attack like this manipulating a modern military conflict was earth shattering.
In this case The Jester used Twitter to post deceptive headlines, along with bit.ly short links, to a list of over 30,000 followers. Once clicked, the short links in the tweets led followers to a remotely hosted web page that had injected the fake story into the news website's search results, appearing to be displayed directly on the news websites. With the viral nature of Tweetable and sharable news, it is surmisable that the number of potential victims could have grown exponentially.
Read more about The Jester's psyops campaign @ http://vrt.lt/JYW6T0
Wikipedia describes a cross-site scripting attack (XSS) as "a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users.". The site goes on to say that "Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner."
What could potentially happen if a black hat hacker performed a similar attack on news sources in the United States? If this is possible it would certainly constitute a potentially enormous national security threat. Consider this...
- How many U.S.-based news sites, locally and nationally, could be manipulated through an attack like this?
- Could an attack like this be used to manipulate elections? Stock prices? Battlefield moral of our troops abroad?
- Have we already been influenced by news manipulated in similar cyber attacks?
As in the the case of The Jester's attack, a person would only need to post a headline and a short link to several social networking sites in order to create a viral piece of false news. With the right headline it would only be a matter of time before the story affected thousands, if not millions, of unsuspecting internet users.
In order to investigate these questions I decided to find out just how susceptible our news sites were to such an attack. The plan was to identify the news sites that currently have this vulnerability, test a non-persistent injection of a fake news story, and then notify the appropriate personnel so they can fix the hole before someone from the dark side exploits it. After performing a brief review of several local and national news sources I found several major sites that were vulnerable to this specific attack, and was able to successfully inject fake news stories on more than one U.S.-based site including the New York Times (NYTimes.com). Once the vulnerabilities were verified, I immediately notified the appropriate people about the exploit. The staff at NYTimes.com was quick to react to the news of the exploit and is currently working on a plan to fix the security vulnerability. They are also currently monitoring the site for any signs of additional attempts to exploit this security hole.
Stay informed about cyber security news by subscribing to our blog @ http://www.VirtualThreat.com
You also follow our Facebook page @ https://www.facebook.com/VirtualThreat
and you can follow our Twitter feed @ https://twitter.com/#!/virtualthreat
//
//
2012-05-23 20:49:09
source
Gloss