XSS Vulnerability Found in Recording Industry Association of America Website
In the second week of May 2009, Vektor, a member of a group of security enthusiasts and programmers, Team Elite, said that the website of Recording Industry Association of America (RIAA) had suffered from security flaws, particularly the cross-scripting (XSS) vulnerability, as reported by SOFTPEDIA on May 6, 2009.
The new vulnerability discovered in the website (riaa.com) facilitates in the penetration of malware IFrames into the website's pages. If IFrames malware is present in a page, it helps to load content from outside servers and even load another page. It implies that when rough malware IFrames is penetrated into the page, it will allow the loading of content from any site (including clean one), but once the content is loaded, the page becomes malicious.
Commenting on the vulnerability in riaa.com, Richard Kirk, Fortify Director, said that sites like riaa.com were vulnerable to XSS attacks and the recent incident should not surprise anyone as some sites were poorly designed that opened them to such attacks, as reported by The Register on May 8, 2009.
In fact, Vektor also disclosed that it had found the XSS bugs in another websites managed by the Motion Picture Association of America (MPAA). Moreover, the association owned nearly 12 different domains that are linked to this website. Vektor further explained that the discovery of XSS bug in all these websites enabled smart marketers to raise the rating of any malicious Trojan and movie, as reported by SOFTPEDIA on May 6, 2009.
It has also been found that the RIAA websites suffered from the similar XSS malicious attack in 2008, but soon wiped clean. RIAA instantly reacted to the problem and fixed it within few hours. However, the company had failed to restore the lost content before the malware inserted into the systems of thousands of people.
Finally, it is also learnt that the members of Team Elite discussed the XSS flaw and other web vulnerabilities in many renowned websites. The list includes websites such as eBay, McAfee, Intel, ESET, Symantec, Kaspersky and Avira. XSS flaw was also reported in mpaa.org during the first week of May 2009.
Related article: XSS Bug Remains the Worst Infection for Sites
» SPAMfighter News - 20-05-2009