Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Websites across the internet are doing the Harlem Shake after online comedians began exploiting cross site scripting (XSS) flaws that make pages dance and speakers blare.
The flaws exist in the DNS text record – not the protocol – due to a lack of sanitation, and allowed internet scamps to turn boring websites like Who.is into a text-wobbling, screen-flashing dance parties.
A registrant of the domain that cooked up the stunt noticed the flaw and dropped < script > and < iframe > tags into TXT records, which were loaded by Who.is and MxToolbox.
The record type could store arbitrary text linked to a domain that would be improperly executed allowing hackers to pull of XSS attacks.
"The DNS protocol is not vulnerable in this instance – the attack is the result of a vulnerability in the web application and how it parses the results from the DNS query," NCC Group Asia Pacific managing director Wade Alcorn said.
"A web application firewall would not have prevented this attack. This scenario emphasises the need for secure coding practices and that all inputs to an application should defend against attackers."
Who.is has fixed the vulnerability but MXtoolbox was still Harlem Shaking at the time of writing.
The attack was more comedic than complex and demonstrated how popular websites like Who.Is still contained one of the most prolific flaws on the internet.
The attack vector did open up means for further attacks involving more scripts and data theft.
Alcorn recalled XSS attacks that rendered emails and and even those targeting eBook readers.
El Reg and another online user have captured the XSS job for your viewing pleasure. ®