Feeds

XSS flaws poke ridicule at entertainment industry

MPAA spanked by Pirate Bay backlash

Boost IT visibility and business value

Cheeky crackers used a cross-site scripting flaw on the web sites of the Motion Picture Association of America (MPAA) to inject listings from controversial torrent links site The Pirate Bay.

Vektor, a member of the Team Elite group of hackers, smuggled links culled from the The Pirate Bay into content served up when surfers visited the MPAA's recommended list of sites. The MPAA's legal action against The Pirate makes the supposed endorsement ironic and embarrassing, if not completely unexpected.

Cross-site scripting (XSS) security flaws on websites are all too commonplace and the MPAA is a high-profile target, especially after the four defendants in The Pirate Bay trial were found guilty in a recent high-profile trial. So it was only really a question of time until hackers managed to find a chink in its armour to exploit.

Earlier denial of service attacks against entertainment industry websites scored limited successes in the aftermath of The Pirate Bay verdict on 17 April.

According to Vektor, the Recording Industry Association of America (RIAA) website is vulnerable to similar flaws as those he exploited to embarrass the MPAA earlier this week, Softpedia reports. Vektor used this flaw to inject a listings from Mininova, another well known torrent tracker, into pop-up windows displayed when users visited portions of the RIAA website.

Although the MPAA has reportedly addressed the flaws on its main website following the attack, other MPAA-controlled websites involved in movie ratings remain vulnerable to much the same type of exploit.

Screengrabs illustrating the mischief wrought by Team Elite on the RIAA and movierating.org websites can be found via Softpedia here.

The vulnerabilities create a means for rogue iFrames from third-party servers to be presented to surfers as if they came from the site they are visiting, when in reality they come from locations determined by hackers.

XSS flaws on both the MPAA (examples here) and RIAA (here) websites have cropped up from time to time in the past, a quick search of security website XSSed reveals.

Security suppliers, such as application security firm Fortify, said that Vector's attacks against the RIAA and MPAA were each effectively accidents waiting to happen.

"That such sites are open to XSS-driven incursions and alterations comes as no surprise, given the fact that so many sites are poorly programmed and therefore open to such attacks," said Richard Kirk, a director at Fortify. "The MPAA is lucky that Vektor's attack was a proof-of-concept one, and intended as something of a joke. The next time they - and other organisations whose sites are vulnerable to XSS-driven attacks, may not be so lucky," he added. ®

Securing Web Applications Made Simple and Scalable

More from The Register

next story
Brit celebs' homes VANISH from Google's Street View
Tony Blair's digs now a Tone-y Blur
German government orders local CIA station chief to pack his bags
Sour Krauts arrest second local in domestic spy ring probe
Snowden leaks latest: NSA, FBI g-men spied on Muslim-American chiefs
US Navy veteran? Lawmaker? Academic? You're all POTENTIAL TERRORISTS
LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more
First cross-platform version of cleaned-up OpenSSL fork
UK's emergency data slurp: IT giants panicked over 'legal uncertainty'
PM says rushed-through DRIP law will 'plug holes' in existing legislation
Russian MP fears US Secret Service cuffed his son for Snowden swap
Seleznev Jnr is 'prolific trafficker in stolen credit card data', it is alleged
Teensy card skimmers found in gullets of ATMs
Hi-tech fraudsters treading more softly, but gas still yielding bang for buck
Weaponised Flash flaw can pinch just about anything from anywhere
This is a 'patch now or regret it sooner-rather-than-later' mess for you and webmasters
Victim of Tor-hidden revenge smut site sues Tor Project developers
But EFF lawyer says deep-web team 'no more liable' than web server makers
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximizing your infrastructure through virtualization
Virtualization continues to be one of the most effective ways to consolidate, reduce cost, and make data centers more efficient.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.