Expert warns of holes in well-known Internet portals
Security expert Yash Kadakia has found security holes in three prominent Internet portals. In his blog, he has published screenshots of Internet.com, Amazon, and MSN with the page content changed by means of cross-site scripting (XSS). Attackers can transmit arbitrary script code to the browsers of anyone who can be tricked into clicking on a manipulated link. In addition, he believes that the web sites of Amazon and MSN contain several weak points that attackers can partly exploit via the net to have arbitrary code injected into the web servers. The hole at Internet.com can also apparently be exploited in this manner.
Kadakia says he will refrain from publishing more details about which server sites are affected and how the holes can be exploited in order to give the portal operators time to act. In his blog, he criticizes the companies for failing to react faster. He says that he reported the holes more than a year ago, but most of them have yet to be remedied. He now plans to make the weak points public a few at a time to force the operators to take action.
Cross-site scripting is a technique that attackers can misuse to embed their own script code into vulnerable web sites via prepared links. If you click on such a link, your Web browser executes the code with the rights of the attacked web site. In general, the problem stems from insufficient filtering of variables that are transmitted in the URL to the scripts.
See also the article Cross-Site Scripting: Data theft on the rebound at heise Security.