Friday, February 02, 2007

Owning a lot of football fans

This morning I awoke to find an urgent posting from Websense. Somebody had placed a bit of javascript on the Dolphin Stadium website @ Don't worry, it's not there anymore. This weekend is the Superbowl and a LOT of football could very well visit this site and if they haven't updated their Internet Explorer in a while they'd find a keylogger and backdoor installed on their PC.

A pretty big issue that was resolved fairly quickly by the host removing the offending source but our comfort level with that site is shaky now. How did the attackers get in, did they close the hole or just put some silly putty over it? We may never know.

The malicious code turns out to be a javascript file called 3.js loaded from a website named A very quick googledork search found something interesting:

The CDC's podcast site! They've since brought down their system for repairs.

The site has been removed as well but how many people already had their machines trojaned?

This attack is called "Persistent Cross Site Scripting (XSS)." in that the malicious JavaScript code gets left behind on the web application, usually as a database entry that is displayed at some point during the user's experience. When a somebody goes to visit the website the malicious code is loaded and, in this particular case, bad things happen to the browser if it hasn't been patched against two recent Microsoft bugs (MS06-014 and MS07-004).

There are a lot of XSS bugs out there. Michael Sutton did a massive check and reliably confirmed that out of 272 sites, 47 (17.3%) of them had a XSS vulnerability. The XSS Wall of Shame at the forum never stops, most of them being non-persistent.

Browsing the web with a JavaScript-enabled browser is just plain dangerous. It's not just those 'seedy' underground sites you should avoid, it's everywhere.

Some very good resources on XSS and its very real threats:

No comments: