Cross Site Scripting (XSS) – It’s Bad For Your Financial Health
Internet Rumors Can Be Damaging - Even If Unconfirmed
A woman working at HP sent an email to hundreds of co-workers that a snack made by Osem, one of the largest food manufacturers in Israel and a local subsidiary of Nestle, caused infant death.
This email quickly spread and the result was a 6% drop in Osem’s stock in just a few hours.
The email wasn’t very sophisticated. It wasn’t even remotely true. Still, Osem - one of the largest companies in Israel – had its stock damaged by a completely false email rumor.
Apple’s stock goes down when rumors are circulated that Apple’s CEO Steve Jobs has had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.
Stocks going up or down because of rumors is as old as the invention of the stock market. But the Internet makes it easier to fabricate a rumor and have it reach far and wide within hour. Just add one more component and a stock could be driven deeply into the ground: credibility. For maximum credibility, how about planting a confirming statement on the corporate web site!
How Damaging Could A Confirmed Rumor Be?
Imagine if you saw a news item on the corporate web site www.apple.com that actually confirmed the death of Steve Jobs. Imagine if you saw on Osem’s web site an admittance of guilt that their snack was indeed poisoning infants. What would happen to their stock then?
Here’s the scary part: it is not difficult to do this. Nobody even needs to break in or deface the corporate web site for this to happen. All that is needed are these two things:
1) An unhandled Cross Site Scripting (XSS) vulnerability on the corporate site, and
2) Inclusion of a carefully crafted link to the corporate site in the alarming email, on a social network page or included in a Twitter ‘tweet’ that takes advantage of the vulnerability
The link in the email will apparently take the alarmed person to the corporate site, but once they ‘arrive’ they will actually see a page that was created by the attacker and which confirms the alarming content. That link contains the XSS attack. When that link is then forwarded, every other person who uses it will also see this faked page. How far and how fast can such a link be spread? See the two examples at the beginning of this article again.
How Hard Is It To Do XSS?
Not hard at all. In fact, we made a quick proof of concept to the Tel Aviv Stock Exchange (TASE) a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to any computer security expert who ever reported a XSS vulnerability: “This is not really a problem as there was no change to any page on our site”. For something that is “not a problem” they sure fixed it within the hour, though.
We’ve experienced this same response almost every time our vulnerability scanning service (see http://www.beyondsecurity.com/vulnerability-scanner.html) finds a XSS vulnerability in a fortune 500 corporate or government site. We are often asked to explain why the report presents it as a serious issue. Using cross site scripting we have demonstrated the planting of false financial reports in the ‘investors’ section, altering news items and in almost all cases we have been met with the reaction: “this is not a real vulnerability” and “how can this really affect me?”
Who’s Damaged By A Cross Site Scripting Attack?
Most security researchers opt to explain XSS as an attack that steals cookies from site visitors. The damaged party in this case is ‘just’ the web site visitor who loses his account and any funds that maybe connected to it (setting aside how attackers may take that stolen account and use further explits to escalate permissions until they end up owning your serrver!).
While loss to the site visitor is a likely outcome, I think there’s a greater risk in the alteration of information on a ‘trusted’ page which could be useful in a phishing attack, or like the examples above, an attack intended to drive stock down that had been sold short.
I’m waiting for the first XSS attack that will tank a big company stock after is has been sold short by the attacker. If you are responsible for the security of your site, make sure your company won’t be the one.
Mr. Jenik has 17 years of experience in the Computer Security field. From the early days of computer viruses he was involved in the fields of encryption, security vulnerabilities detection and research. He worked in development, marketing and sales roles in several startups, and had 2 successful exits before co-founding Beyond Security in 1999.Aviram has a Bsc. in Computer Science with a major in cryptography and an MBA from T.A. University with majors in strategy and entrepreneurship.Beyond Security www.BeyondSecurity.comUS: 1-800-801-2821UK: +44-203-006-3022Israal: +972-9-8656850
Article Source: ArticlesBase.com - Cross Site Scripting (XSS) – It’s Bad For Your Financial Health