http://www.newsbytes.com/news/02/174173.html By Brian McWilliams, Newsbytes NEW YORK, NEW YORK, U.S.A., 01 Feb 2002, 7:57 PM CST A security flaw at leading online news providers MSNBC.com, NYTimes.com, and WashingtonPost.com could have allowed attackers to generate bogus articles using the sites. In a demonstration of the bug, David De Vitry, an independent security specialist, exploited the news sites to create a phony story in which a NASA official claimed the space agency's moon landings were faked. The security glitch, known as cross-site scripting (CSS), opened the door to what experts call subversion of information attacks. Such attacks can be used to spread false information, manipulate stock prices, and perform other malicious acts. At no time did the flaws, which have been corrected, allow unauthorized users to place articles on the Web servers of the affected sites or to edit existing pages. To view the fraudulent stories generated from the news sites, users would have to click a specially crafted hyperlink in an e-mail, instant message, or on a third-party site. In De Vitry's demo, clicking a link to the vulnerable news page pulled content from his personal site and overlaid it on a page generated by the news site. Because three sites were simultaneously vulnerable to CSS attacks, a fake news item could have gained extra credibility, according to De Vitry. "Imagine posting different versions of the same story involving several news sites. It wouldn't be hard to get people to start believing it," he said. When notified of the security flaw today, MSNBC.com officials closed the hole identified by De Vitry and began a sweeping review of the site for other CSS bugs, according to Ian Marriott, director of development for MSNBC.com, a joint venture between Microsoft and television network NBC. The Washington Post Company performed a similar analysis and fixed flaws at its site today. A CSS hole at the NYTimes.com site was closed last week, more than a month after the news company was alerted to the problem, according to De Vitry. Christine Mohan, a spokesperson for New York Times Digital, the Internet unit of The New York Times Company, said the firm investigated the matter when contacted by De Vitry, and "prioritized the issue accordingly." Cross-site scripting is a well-known security issue that was widely publicized two years ago in an advisory from the Computer Emergency Response Team (CERT), a federally funded security information clearinghouse. CSS security flaws primarily affect Web pages that accept input from users, such as forms for searching, processing credit-card information, or logging in, according to a Feb. 2000 document at Microsoft's technical support site. The CSS flaw discovered by De Vitry at MSNBC.com was present in an input form used by site visitors for e-mailing articles to other Internet users. At the NYTimes.com site, the bug was in a search form on its New York Today page. The WashingtonPost.com had a CSS flaw in a page in its financial section for requesting stock quotes. According to CERT, many Web sites remain vulnerable to CSS attacks, and site operators do not adequately understand the threat CSS bugs present to visitors. Among the risks of CSS cited by Microsoft are compromises of data integrity, interception of user input, and execution of malicious scripts. Earlier this month, MSNBC.com was first to report a CSS flaw discovered by De Vitry at Citibank's C2IT.com Internet payment site that could have enabled attackers to grab users' credit card and bank account information. CSS attacks are commonly launched by tricking users into clicking a hyperlink containing special characters that loads a JavaScript program or other data. The Web page that appears in the victim's browser may appear to come from the trusted site, but code injected into the page by the attacker could perform malicious acts. While CSS bugs are easy to correct, spotting them is difficult, and new automated tools may be needed, said Richard M. Smith, an independent security consultant. Eeye Digital Security will add such a capability to the next version of its SecureIIS product, to block CSS attacks against servers running Microsoft's Internet Information Server software, according to Eeye chief hacking officer, Marc Maiffret. Marriott said MSNBC.com performed a full inspection of all of its Web pages when CSS vulnerabilities first came to light years ago. But he said pages since added to the site may have slipped through the company's code review process. This week, CSS vulnerabilities at Web sites operated by several major Internet security companies were publicized. Such flaws have also been uncovered at Yahoo, EBay, Microsoft, Netscape, and other high-profile Web sites. MSNBC.com is at http://www.msnbc.com The New York Times is on the Web at http://www.nytimes.com The Washington Post site is at http://www.washingtonpost.com Microsoft's article on CSS security issues is at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q252985 De Vitry's site is at http://www.devitry.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 02:26:38 PST