Over 99 percent of About.com links vulnerable to XSS, XFS iframe attack

How-to-prevent-XSS-attacks-on-your-websiteAbout.com has a huge security problem, but it’s likely worse for the over 98 million monthly visitors to the About Group’s various topic-specific subdomains.

A security researcher disclosed Monday that “at least 99.88%” of all topic links and all domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks.

According to the researcher’s findings and proof-of-concept results, all subdomains of About.com are affected.

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS) at Nanyang Technological University (NTU) in Singapore disclosed the massive vulnerabilities — essentially attack vectors that About.com is distributing to its unwitting visitors — on Sunday, Oct 19, 2014 but Jing received no response.

“Until now,” he said at the time of his public disclosures Monday, February 2 — over three months later — “they are still unpatched.”

Jing added, “Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks too. This means all domains related to About.com are vulnerable to XSS attacks.”

XSS: Intriguingly versatile — and really bad

XSS is listed in OWASP’s 2013 top 10 of evil, or rather, 2013’s Top Ten Application Security Risks.

Because these kinds of attacks go after the user rather than a server or application, the vulnerability on About.com’s subdomains put all visitors at risk of attacks that can steal data (like cookie information, saved logins, and identity theft); take control of a user’s session in a different tab; run malicious code (even on your home router); access clipboard contents; get access to free or paid content; access your network; or be used as part of a phishing scam.

Security researchers reading this will be keen to know that the About.com attacks are open to anyone.

XSS attacks are a staple in both research and crime; XSS attacks have been around since the Internet was young, and are regularly used by penetration testers when helping websites and organizations beef up their security.

But they’re cancer for the ordinary user’s security.

Jing said, “For the Iframe Injection vulnerabilities, [they] can be used to do DOS (Denial-of-Service Attack) to other websites, too.”

Due to the critical, and large-scale nature of the issue, Jing created a detailed report and proof of concept documentation (including the video below), and disclosed the problem on his blog, the blogSecurity Pitch, and Jing’s Twitter feed.

If you think About.com is some GeoCities-era relic from the past no one looks at anymore, think again: About’s 1000+ topic subdomains are Wikipedia competitors, which according to Traffic Estimate, saw its overall traffic hit more than 98.5 million unique visitors in January 2015.

According to Jing, the vulnerabilities can be attacked without user login and work across all the popular browsers.

For Jing’s XFS and open redirect attacks, “Tests were performed on Microsoft IE (10.0.9200.16750), Windows 8, Mozilla Firefox (34.0), Google Chromium 39.0.2171.65-0, Ubuntu (14.04), and Apple Safari (6.1.6 of Mac OS X Lion 10.7).”

For Jing’s About.com XSS attacks, “Tests were performed on Mozilla Firefox (26.0) in Ubuntu (14.04), and Microsoft IE (9.0.15) in Windows 7.”

On the Full Disclosure list he included, “The vulnerability occurs at About.com ‘offsite.htm’ page with “zu” parameter,” and included several vulnerable URLs and PoC URLs in his disclosure posts.

All links under the topics of about.com can be used for this attack.Just attach “/lr/” to any About.com’s sub-domains. Then attach “any codes + sciript” or attach “script” code directly is OK.

The structure is (…)

OWASP defines the attacks as:

In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker’s page loads a third-party page in an HTML frame; and then javascript executing in the attacker’s page steals data from the third-party page.XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a Cross Site Scripting Flaw to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw.

In the first of ComputerWeekly’s excellent series on application-layer attacks, Michael Cobb writes, “XSS attacks work even if the site is viewed over an SSL connection, because the script is run in the context of the “secured” site, and browsers cannot distinguish between legitimate and malicious content served up by a Web application.”

User defenses against XSS and XFS attacks are little outside of avoiding the vulnerable websites, and practicing good privacy hygiene such as not allowing your browser to ‘remember’ your logins and passwords, blocking as many tracking cookies as possible, keeping sensitive data in encrypted storage, and frequent login/password changes (especially with critical accounts, such as banking and medical sites).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s