A
Ablang
Teen Uses Worm to Promote Site
Manipulation pushes MySpace site to record hits, but raises security
concerns.
Eric Lai, Computerworld
Tuesday, October 18, 2005
Using a self-propagating worm that exploits a scripting vulnerability
common to most dynamic Web sites, a Los Angeles teenager made himself
the most popular member of community Web site MySpace.com earlier this
month. While the attack caused little damage, the technique could be
used to destroy Web site data or steal private information--even from
enterprise users behind protected networks, according to an Internet
security firm.
The unknown 19-year-old, who used the name "Samy," put a small bit of
code in his user profile on MySpace, a 32-million member site, most of
whom are under age 30. Whenever Samy's profile was viewed, the code
was executed in the background, adding Samy to the viewer's list of
friends and writing at the bottom of their profile, "... and Samy is
my hero."
"This is an attack on the users of the Web site, using the Web site
itself," said Jeremiah Grossman, chief technical officer at WhiteHat
Security.
The worm spread by copying itself into each user's profile. Because of
MySpace's popularity--it had 9.5 billion page views in September,
making it the fourth most-popular site on the Web, according to
comScore Media Metrix--the worm spread quickly. On his Web site, Samy
wrote that he released the worm just after midnight on October 4.
Thirteen hours later, he had added more than 2500 "friends" and
received another 6,400 automated requests to become friends from other
users.
"It didn't take a rocket or computer scientist to figure out that it
would be exponential, I just had no idea it would proliferate so
quickly," Samy said in an e-mail interview posted Friday at Google
Blogoscoped. "When I saw 200 friend requests after the first eight
hours, I was surprised. After 2000 a few hours later, I was worried.
Once it hit 200,000 in another few hours, I wasn't sure what to do but
to enjoy whatever freedom I had left, so I went to Chipotle and
ordered myself a burrito. I went home and it had hit 1,000,000."
Samy also received hundreds of messages from angry MySpace users. He
wasn't contacted by officials from Los Angeles-based MySpace, though
his account was deleted. MySpace was purchased in July by Rupert
Murdoch's News Corp. for $580 million. MySpace representatives didn't
return requests for comment.
Known Vulnerability
The attack depended on a long-known but little-protected vulnerability
called cross-site scripting (XSS). XSS arises because many Web
sites--apart from static sites that use only simple HTML code--are
dynamic, allowing users to manipulate Web site source code.
Web sites and Web browsers such as Internet Explorer and Firefox try
to block such XSS holes, said Grossman. But the vulnerabilities
continue to exist, for which he blames both the browser creators and
the Web site operators.
Standard enterprise network security tools such as firewalls,
antivirus, and Secure Sockets Layer don't thwart XSS and other Web
application attacks because the affected user is already behind his
firewall, said Grossman, whose 14-person firm consults businesses on
how to prevent such attacks.
"The network is pretty locked down. But all of the new attacks are
targeting where nobody is looking--the Web application layer," he
said.
Other Web application-layer break-ins include a case earlier this year
where more than a hundred applicants to Harvard Business School got an
early peek into their admission files by simply modifying the URL
typed into their browser address box. In a more serious phishing
attack last year, someone injected code into SunTrust Banks's Web site
designed to send e-mail from SunTrust's Web site asking account
holders for account details.
Early Example
An early version of an XSS-related vulnerability was discovered in
Hotmail in 2001. That flaw allowed an attacker to send an e-mail with
malformed HTML code to a Hotmail user, whose browser would interpret
the broken commands as legitimate script that would tell the Web site
to steal the user's private information.
Grossman said most such cases go unreported.
While both Firefox and Internet Explorer promise security enhancements
in upcoming versions, Grossman said he doubts they will entirely fix
the XSS problems.
http://www.pcworld.com/news/article/0,aid,123066,tk,dn101805X,00.asp
===
"Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done."
-- Andy Rooney
_________________________________________
Usenet Zone Free Binaries Usenet Server
More than 140,000 groups
Unlimited download
http://www.usenetzone.com to open account
Manipulation pushes MySpace site to record hits, but raises security
concerns.
Eric Lai, Computerworld
Tuesday, October 18, 2005
Using a self-propagating worm that exploits a scripting vulnerability
common to most dynamic Web sites, a Los Angeles teenager made himself
the most popular member of community Web site MySpace.com earlier this
month. While the attack caused little damage, the technique could be
used to destroy Web site data or steal private information--even from
enterprise users behind protected networks, according to an Internet
security firm.
The unknown 19-year-old, who used the name "Samy," put a small bit of
code in his user profile on MySpace, a 32-million member site, most of
whom are under age 30. Whenever Samy's profile was viewed, the code
was executed in the background, adding Samy to the viewer's list of
friends and writing at the bottom of their profile, "... and Samy is
my hero."
"This is an attack on the users of the Web site, using the Web site
itself," said Jeremiah Grossman, chief technical officer at WhiteHat
Security.
The worm spread by copying itself into each user's profile. Because of
MySpace's popularity--it had 9.5 billion page views in September,
making it the fourth most-popular site on the Web, according to
comScore Media Metrix--the worm spread quickly. On his Web site, Samy
wrote that he released the worm just after midnight on October 4.
Thirteen hours later, he had added more than 2500 "friends" and
received another 6,400 automated requests to become friends from other
users.
"It didn't take a rocket or computer scientist to figure out that it
would be exponential, I just had no idea it would proliferate so
quickly," Samy said in an e-mail interview posted Friday at Google
Blogoscoped. "When I saw 200 friend requests after the first eight
hours, I was surprised. After 2000 a few hours later, I was worried.
Once it hit 200,000 in another few hours, I wasn't sure what to do but
to enjoy whatever freedom I had left, so I went to Chipotle and
ordered myself a burrito. I went home and it had hit 1,000,000."
Samy also received hundreds of messages from angry MySpace users. He
wasn't contacted by officials from Los Angeles-based MySpace, though
his account was deleted. MySpace was purchased in July by Rupert
Murdoch's News Corp. for $580 million. MySpace representatives didn't
return requests for comment.
Known Vulnerability
The attack depended on a long-known but little-protected vulnerability
called cross-site scripting (XSS). XSS arises because many Web
sites--apart from static sites that use only simple HTML code--are
dynamic, allowing users to manipulate Web site source code.
Web sites and Web browsers such as Internet Explorer and Firefox try
to block such XSS holes, said Grossman. But the vulnerabilities
continue to exist, for which he blames both the browser creators and
the Web site operators.
Standard enterprise network security tools such as firewalls,
antivirus, and Secure Sockets Layer don't thwart XSS and other Web
application attacks because the affected user is already behind his
firewall, said Grossman, whose 14-person firm consults businesses on
how to prevent such attacks.
"The network is pretty locked down. But all of the new attacks are
targeting where nobody is looking--the Web application layer," he
said.
Other Web application-layer break-ins include a case earlier this year
where more than a hundred applicants to Harvard Business School got an
early peek into their admission files by simply modifying the URL
typed into their browser address box. In a more serious phishing
attack last year, someone injected code into SunTrust Banks's Web site
designed to send e-mail from SunTrust's Web site asking account
holders for account details.
Early Example
An early version of an XSS-related vulnerability was discovered in
Hotmail in 2001. That flaw allowed an attacker to send an e-mail with
malformed HTML code to a Hotmail user, whose browser would interpret
the broken commands as legitimate script that would tell the Web site
to steal the user's private information.
Grossman said most such cases go unreported.
While both Firefox and Internet Explorer promise security enhancements
in upcoming versions, Grossman said he doubts they will entirely fix
the XSS problems.
http://www.pcworld.com/news/article/0,aid,123066,tk,dn101805X,00.asp
===
"Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done."
-- Andy Rooney
_________________________________________
Usenet Zone Free Binaries Usenet Server
More than 140,000 groups
Unlimited download
http://www.usenetzone.com to open account