Fwd: Netcraft News - Wednesday September 22, 2010

0 views

Skip to first unread message

صادق‎

unread,

Sep 22, 2010, 8:28:12 AM9/22/10

to yazdlug

WooW!

- Sadeq

---------- Forwarded message ----------
From: <anno...@lists.netcraft.com>
Date: Wed, Sep 22, 2010 at 15:50
Subject: Netcraft News - Wednesday September 22, 2010
To: sad...@gmail.com

Having trouble reading this email? Read online, Follow Us on Twitter, or Subscribe via RSS


Netcraft Services Phishing & Security Anti-Phishing Toolbar Phishing Site Feed Hosting Phishing Alerts Bank Fraud Detection Phishing Site Countermeasures Audited by Netcraft Open Redirect Detection Web Application Security Testing Web Application Security Course Internet Data Mining Hosting Provider Analysis Million Busiest Websites Hosting Provider Switching Analysis Hosting Provider Server Count Hosting Reseller Survey SSL Survey Internet Exploration Whats that site running? SearchDNS Sites on the Move Performance Hosting Prospects Performance Alerts Hosting Providers Network Performance Dedicated Server Monitoring Advertising Banner Advertising on Netcraft About Netcraft About Netcraft Jobs at Netcraft Fair Use, Copyright Site Privacy Statement Visiting Netcraft Contact Us Webmaster Article Categories About Netcraft Around the Net Dogfood Domains Hosting Interviews Netcraft Services Other Performance Security Web Server Survey Archives 2010 2009 2008 2007 2006 2005 2004 2003 2002	Twitter users fall victim to new XSS worm Earlier this morning, an Australian teenager discovered a new cross-site scripting vulnerability on twitter.com. Just a couple of hours later, hackers used the same flaw to launch a massive XSS worm attack against Twitter users. By posting specially crafted tweets, zzap noticed he could get other Twitter users to execute arbitrary JavaScript whenever they moved the mouse cursor over the affected messages. zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr's colourful use of CSS injection to display the colours of the rainbow. Using a similar technique, zzap was able to inject an `onmouseover` attribute containing arbitrary JavaScript. This was first demonstrated with an "uh oh" message, which zzap recognised as an XSS vulnerability. zzap (jokingly?) suggested that nobody should tell the 4chan forum about the XSS vulnerability; however, some other users have already started Rickrolling other users by tweeting Rick Astley lyrics in pop-up JavaScript alert messages. It is feasible for much larger JavaScript payloads to be loaded from external websites, which could allow complex cross-site request forgery attacks (CSRF) against authenticated Twitter users. zzap later demonstrated that it was possible to steal cookies from Twitter users, by displaying the contents in another pop-up message. This could be mitigated to some extent if Twitter used the HttpOnly attribute for their cookies — this would prevent injected scripts from being able to directly access the `document.cookie` value. Although the XSS exploits demonstrated by zzap were mostly harmless, some users were nonetheless baffled by the unexpected behaviour and concluded that Twitter had been hacked: zzap told another Twitter user that the flaw could be used to steal account information, while one of his other examples made the obvious point: Rather impressively (and also unfortunately), it took less than 2 hours for hackers to exploit this vulnerability in a wide scale fashion. Many users have already been targeted by scripts which attempt to propagate in a worm-like fashion, or load larger JavaScript payloads from external locations. Searching Twitter for "onmouseover" shows many of the different attack vectors currently being exploited and propagated: The vulnerability is still present right now, but John Adams at Twitter Security responded to Netcraft within just a few minutes to say they are looking into it. Digg Slashdot Reddit StumbleUpon Delicious Technorati Posted by Paul Mutton on 21st September, 2010 in Security
Copyright © Netcraft Ltd 2010. All Rights Reserved.