Feeds

Symantec finally secures HackIsWack

It's such a bungle, sometimes, it makes you wonder...

Protecting against web application threats using SSL

Symantec has belatedly secured its laughable HackIsWack competition website.

The site - a collaboration between the security software firm and rapper Snoop Dogg - is designed to raise awareness about malware and identity theft by providing a forum for a user-generated cybercrime-themed rap competition. The site had a slow start, and currently boasts an underwhelming 22 videos.

Reg commentards have described the campaign as the most comically inept since the Don't Copy that Floppy anti-piracy screed of the 1990s, an earlier rap music meets security multi-purpose fail.

Even more embarrassingly the security giant went live with a branded site that was riddled with security holes, including a cross-site scripting flaw that amusingly lent itself to a rickrolling attack. In a statement issued over the weekend, Symantec acknowledged the problems, which it said were now resolved.

Symantec was made aware of reported vulnerabilities to the Norton Hack is Wack microsite, and we quickly took the necessary steps to enhance security on the site. We have found no evidence to date that any intrusion into the site or other areas of Symantec’s network or website have occurred.

To date, Symantec can confirm that no company or customer data has been compromised or exposed.  Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue.

The statement fails to explain why Symantec went live with an apparently untested and seriously flawed site, which one wag suggested might have been coded by Snoop Dogg rather than an experienced security-aware web developer.

The rickrolling XSS was only the most publicised of the site's many flaws. Security blogger Mike Bailey did a good job last week in compiling a list of numerous flaws present on the site at the time, which included the caching of potentially sensitive data and upload security problems, among others.

Hack is Wack site is chock full of holes. For example, there's the publicly available, indexed cache directory with all that SQL, JSON and other data. There's the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it's currently in Alpha)

The original XSS rickrolling exploit has been blocked and, we take on trust but have not confirmed, Symantec has also mopped up the other flaws on the site. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.