XSS Vulnerability Found in Recording Industry Association of America Website

In the second week of May 2009, Vektor, a member of a group of security enthusiasts and programmers, Team Elite, said that the website of Recording Industry Association of America (RIAA) had suffered from security flaws, particularly the cross-scripting (XSS) vulnerability, as reported by SOFTPEDIA on May 6, 2009.

The new vulnerability discovered in the website (riaa.com) facilitates in the penetration of malware IFrames into the website's pages. If IFrames malware is present in a page, it helps to load content from outside servers and even load another page. It implies that when rough malware IFrames is penetrated into the page, it will allow the loading of content from any site (including clean one), but once the content is loaded, the page becomes malicious.

Commenting on the vulnerability in riaa.com, Richard Kirk, Fortify Director, said that sites like riaa.com were vulnerable to XSS attacks and the recent incident should not surprise anyone as some sites were poorly designed that opened them to such attacks, as reported by The Register on May 8, 2009.

In fact, Vektor also disclosed that it had found the XSS bugs in another websites managed by the Motion Picture Association of America (MPAA). Moreover, the association owned nearly 12 different domains that are linked to this website. Vektor further explained that the discovery of XSS bug in all these websites enabled smart marketers to raise the rating of any malicious Trojan and movie, as reported by SOFTPEDIA on May 6, 2009.

It has also been found that the RIAA websites suffered from the similar XSS malicious attack in 2008, but soon wiped clean. RIAA instantly reacted to the problem and fixed it within few hours. However, the company had failed to restore the lost content before the malware inserted into the systems of thousands of people.

Finally, it is also learnt that the members of Team Elite discussed the XSS flaw and other web vulnerabilities in many renowned websites. The list includes websites such as eBay, McAfee, Intel, ESET, Symantec, Kaspersky and Avira. XSS flaw was also reported in mpaa.org during the first week of May 2009.

Related article: XSS Bug Remains the Worst Infection for Sites

» SPAMfighter News - 20-05-2009

 

All SPAMfighter products offer a free trial!

SPAMfighter box shot

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

SLOW-PCfighter

Optimize your Slow PC for better performance. Try FREE scan now

Full disk or slow disk?
Disk space recovery
and disk optimization. Try FULL-DISKfighter free


Spam Filter for Exchange Server

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove spyware

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software

Antivirus software for your Windows PC - Free 30 days trial

<<<  >>> 

Compatible with Windows 7

Works with Windows Vista

SPAMfighter is

Microsoft Gold Certified Partner

Intel Software Partner