Feeds

Security vuln in NTL spam

Cross-site scripting exploit

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Spam email recently sent out on behalf of NTL pointed to a potentially serious vulnerability in the cable operator's online processing system.

Although NTL acted quickly to shore up the potential problem it serves as yet another example of why spam messages can damage an organisation's brand.

The offending message was sent to Matthew Garrett, of Cambridge University's Computer Laboratory, via a third party but pointing to a seemingly legitimate NTL offer.

"I wasn't terribly amused by this, but checked the Web site to see whether it did seem legitimate," Garrett explains. "While there, I noticed that there seemed to be a large amount of English embedded in the URL, which also appeared in the text of the page."

Garrett discovered that extra HTML tags could be inserted into the URL, and worse, this extra information was passed through the link to a supposedly secure ordering page.

Oh dear.

"With the aid of Steven Murdoch, a member of Ross Anderson's security group here in Cambridge, we constructed a cross-site scripting exploit that could be embedded in the original url," Garrett explained.

"Normally this sort of attack can be used to obtain user's cookies, but since a page taking credit card numbers was involved this time it also allows for a hostile user to cause the credit card numbers (along with all the other personal information) to be sent to a site somewhere else."

Oops. Again.

The researchers created a proof of concept code to prove that the vulnerability could be maliciously exploited using JavaScript embedded in an obfuscated url sent to potential victims.

"Instead of popping up boxes, the JavaScript could wait until you click on the submit button and send your credit card number, address, phone number and all off to Johnny Badman's hacked server somewhere in Russia."

But would people visit this URL?

"NTL have already demonstrated that at least one of their advertising contractors is happy to spam people, so it'd look just as legitimate," Garrett argues.

Just as well that NTL has now fixed these security vulnerabilities. Let's hope it stops paying third parties to spam people too.

NTL told Garrett that it had asked a third party to check that the addresses were opt-in, but that about 50 per cent of the addresses they were told were clean were in fact trawled from Usenet and the like.

NTL scripting errors serve as an example for other organisations. So what lessons can we learn?

The real issue, according to Garrett, is "taking information from a URL and embedding it in a page - it's pretty much impossible to do this without letting people insert HTML tags that let them embed scripts from other websites (for instance) which subvert the page functionality. If the page is collecting credit card numbers, then the consequences are fairly obvious."

"Website authors need to be more paranoid," he argues.

"There are people who are sufficiently competent to work out how to pass variables to you scripts, even if you don't think that it's likely. Doing this with a site that accepts credit cards is a desperately bad idea, but it can be used for attacks in any case.

"There should be no excuse for making this sort of mistake."

The use of spam to tempt people to a poorly constructed Web site only makes matters worse.

As Garrett notes: "Spamming sufficiently competent people is likely to piss them off enough to subvert your website." ®

Related Stories

NTL working on 'intermittent' email problem
NTL in alleged hack probe
FBI names 20 most unwanted security flaws

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.