xss
Latest
How to sell the Brooklyn Bridge in the 21st century
Scammers, fraudsters, and confidence men have existed since we invented commerce. If there's a system of valuation in place, there are angles to be worked and Brooklyn Bridges to be sold. The rise of social media and our always-connected lifestyles have only compounded the problem, giving unscrupulous hucksters access to virtually every mark the world over. But social platforms taking action to put an end to these fraudulent financial assaults.
OS X update fixed 'simple' bug that could leak your iMessages
Researchers explained one large security hole in Apple's iMessage app that received a patch last month, but until now we didn't have details on another vulnerability fixed at the same time. By tricking users into clicking a specially-crafted link, hackers could gain access to the usually encrypted communications in OS X El Capitan's Messages. "You don't need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode or ROP chains," according to security researchers at Bishop Fox -- just knowledge of basic JavaScript.
Wordpress vulnerability leaves millions of sites open to attack
If you've got a Wordpress site, pay attention: A recently discovered vulnerability within the blogging platform leaves your site open to attack, according to the security firm Sucuri. So far, it affects the TwentyFifteen theme (installed by default) and the JetPack plugin, which has over a million installations. At issue is the the "genericons" Wordpress package, something that both of those Wordpress add-ons use, which comes with an insecure file that leaves sites open to a cross-site scripting vulnerability. If a hacker can trick you into clicking a malicious link, they can get full control of your Wordpress site. Thankfully, the fix is pretty simple: Just remove the "example.html" file from any instance of genericons in your Wordpress installation. Sucuri has also warned several hosting providers about the vulnerability, including Godaddy, Dreamhost and WPEngine who've already patched against the issue. [Photo credit: Armando Torrealba/Flickr]
Twitter turns off Tweetdeck to 'assess' JavaScript security breach (update: it's back)
If you're a Tweetdeck user and can't login right now -- there's a reason. The service's webapp contained a vulnerability that let it run scripts embedded in tweets; just reading a tweet could cause a popup to appear on your screen, redirect you to another website, hijack your account or even cause you to retweet something without knowing. Since Tweetdeck is used by many of the social media managers for widely-followed accounts, a flaw that spreads itself could quickly replicate across the service.The official Tweetdeck account claimed the vulnerability was fixed earlier, but that doesn't appear to have worked, and as a result, Twitter has taken the service down "to assess today's earlier security issue." Even though you can't login right now, it would probably be a good idea to revoke the service's access to your account entirely until things are resolved. Update: Tweetdeck says it's verified a security fix and turned the service back on -- who wants to be the first to confirm if it's actually safe? [Image credit: Simon Dawson/Bloomberg via Getty Images]
Google's hacking game trades exploits for cake
Everyone knows the best way to teach children is to make the learning process fun and engaging; and if we're honest, that methodology works just as well on us big kids, too. Now, even hunting through code for cross-site scripting (XSS) bugs can be entertaining, thanks to a game developed by a playful group of security experts at Google. The browser-based game is intended to test the skills of web developers, with levels challenging you to find and exploit XSS vulnerabilities -- which can be an open door for hackers -- in realistic scenarios. Of course, it's not intended to train up a new generation of hackers, but to make devs aware of bugs so they can avoid them. It's no casual Chrome experiment, so as an extra incentive to complete all six levels, you're promised "cake at the end of the test." Now, where have we heard that before? [Image credit: 9to5Google]
The story behind the Twitter worm
When we heard about this malicious JavaScript code that hit Twitter yesterday, we were kind of relieved: perhaps it was nature's way of ridding us of celebrity micro-bloggers. But as the day went on, it seemed that even if this were the case, a sordid tale was emerging: apparently the whole thing began with a Norwegian programmer named Magnus Holm, who had experimented with a flaw in Twitter's website that let users execute code on a mouseover. His version of the code simply replicated itself: "The purpose was simply to see if it was possible to create a worm," he told The New York Times, adding that he was surprised it had spread as quickly as it did. "Because it was very easy to delete the Tweet that contained the worm, I expected that everyone would just delete it the moment they realized that they've been 'infected.'" But soon enough, folks were updating the code for malicious purposes, including redirects to spam sites and, perhaps worst of all, Rickrolling. By 8:30 AM President Obama's Press Secretary Robert Gibbs had inadvertently sent the thing out to his followers, and by 10:00 AM (when Twitter had patched the hole) an estimated 200,000-plus users had been hit. Fortunately, it looks like things are back to normal, which reminds us: @justinbieber hasn't tweeted for over twenty-four hours. We hope he's OK!
'Rainbow tweets' start hammering Twitter after onMouseOver exploit discovered
Oh dear. Some wise guys have discovered a JavaScript exploit in Twitter's web interface, which uses an onMouseOver instruction to hijack your own tweeting voice and force you to say things you don't want to say. Simply put, hovering on some of these colorful new tweets can result in you tweeting out the spammiest spam you ever did tweet. So, as with Tetris, be wary of those blocks of color, they are the harbingers of doom. And until the Twitter crew wrap their brains around sealing this vulnerability off, we'd recommend just using any of the cornucopia of Twitter apps floating about in the webosphere. [Thanks to everyone who sent this in] Update: The Twitgineers are already dealing with the issue and are rolling out a patch that should span the entire Twitterverse before too long.
Apple's iTunes Affiliates site briefly subjected to image swaps
Our friends over at OS X Daily passed along their story noting that Apple's site for iTunes Affiliates was vulnerable to a cross-site URL trick, letting you substitute your own images for the ones normally displayed on the page. Since the site is intended to let websites display a custom top banner, this was 'as designed' -- at least until jokesters began taking advantage. The trick works (or at least, it did) by taking the default URL from the web browser and replacing a few things like the artist name, album name, album thumbnail source and the image link. The Internet moves pretty fast, though. As I was typing this, Apple removed the top banner altogether, preventing the customized image display. No more pranks for us. In any case, OS X Daily pointed out that the image issue could allow malicious folks to redirect would-be Apple visitors to malware sites or other bad destinations. Even an innocent image viewer that appears within an iframe on a branded page can cause problems; that's what the folks at Wired found out last January, when someone took advantage of their image tool to post a hoax "Steve Jobs had a heart attack" news story. Props to Apple's web development team, though, for taking this down within the ten minutes it took me to finish the post.
