New XSS Attack to Compromise PC Uses VoIP

An XSS or cross-site scripting attack via the Sessions Initiation Protocol (SIP) of VoIP is a new method for the malicious hackers to take over the control of a computer. The XSS attack could allow malware execution on the user's computer through a VoIP connection. Security researchers came across the vulnerability on October 8, 2007 following which they posted a proof-of-concept code elaborating the flaw they located in Linksys VoIP product.

The attackers probably found a loophole in popular security defenses, as many of them do not search for attacks in Web 2.0 XSS flaw on SIP. So, users are recommended to deploy a security solution that would look for malware in protocol, which is allowed to enter into the enterprise's network.

This particular XSS attack loads a program on the targeted computer with which hackers could listen and record 'Voice over Internet Protocol' phone calls. A hacker, who wants to earn money, might tap the telephone conversations of a large company's chief financial officer to gather information that he could use in stock trading.

Hackers could also use the XSS attack to target people by installing the keyloggers on their PCs that would intercept usernames, passwords and such sensitive information to help criminals rob the users' bank accounts.

In a comment on the issue, Vice President of Technology Evangelism at Secure Computing, Paul Henry, said that given the total disregard for security in the deployments of VoIP, the release of the new proof-of-concept code describing the XSS flaw is only the beginning of more VoIP vulnerabilities expected in future. Help Net Security published this in news on October 17, 2007.

In another statement, Henry said that he has not yet heard about the launch of the attack on any real user, however, with the release of the proof-of-concept, it is likely to occur anytime soon. Network World published this on October 17, 2007.

Henry said the public disclosure of the security flaw even before vendors could develop a patch is irresponsible. But, according to some researchers, the disclosure would raise public awareness about the risks, because vendors take too long to act.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 11/3/2007