XSS worm at Justin.tv infects 2,525 profiles

XSS worm at Justin.tv infects 2,525 profiles

Summary: A XSS worm was crawling across Justin.tv, the popular lifecasting platform at the end of June, details of the incident emerged in the middle of last week.

SHARE:
7

A XSS worm was crawling across Justin.tv, the popular lifecasting platform at the end of June, details of the incidentXSS worm at Justin.tv infects 2,525 profiles emerged in the middle of last week. Basically, the group that found the XSS vulnerability abused it for the purpose of generating the following graph as a proof of concept, until Justin.tv fixed the flaw rending the worm's activities obsolete. Now, proof of concept of what exactly remains questionable, since if the research community was to exploit every site vulnerable to SQL injections or high profile sites vulnerable to critical XSS flaws, in order to embedd a counter within and then come up with fancy graphs saying this is the number of people that could have been affected by this flaw, we would be dealing with more PoCs next to the real security incidents executed by malicious parties. This is the statement made by one of the group members that released the PoC :

"As of 'Sat, 28 Jun 2008 21:52:33 GMT' - An XSS worm was released on this website, this was and is meant only for research purposes. It was successfully executed and lasted roughly around 24 hours.

We have recorded such records making it possible for us to create graphical images graphing the progress of this XSS worm as it infected each profile upon the last being viewed. The XSS Vulnerability was discovered and fixed during 'Sun, 29 Jun 2008 21:12:21 GMT', with an after mass of 2525 profiles.

This actually is the very first XSS worm which we have unleashed, and it was solely upon research reasons; non-malicious at all :)

We've contacted the JTV Programmers prior to the fixing of the XSS worm and have sorted things out with them and made sure that they knew NO information such as IP Address, Cookies, Sessions and further information which poses private is not to be released. After that I put myself forward and found another XSS in turn to prove that I was dedicated to helping JTV out in any further possible vulnerabilities", says x2Fusion. "

Justin.tv fixed it shortly after users started complaining :

"On Saturday we started to receive emails from users saying that their account had been compromised. On Saturday night we found a vulnerability that allowed someone to gain access to another users account without needing their username and password. Emmett worked tirelessly to fix the bug and released a patch on sunday morning. We were informed that as a result of the first vulnerability, personal communications from a number of justin.tv users were posted on flickr for all to see. We greatly regret that this occurred and apologize that we were not able to find and fix this vulnerability sooner. On tuesday and similar vulnerability was found and it was fixed within 2 hours."

The majority of social networking sites have all be subject to the efficient exploitation of a single XSS flaw, leading hundreds of thousands, sometimes millions of users affected by XSS worms. Orkut, MySpace (as well as a second possibility for a QuickTime XSS flaw), GaiaOnline, Hi5 are just the tip of the iceberg, since a great deal of currently unfixed vulnerabilities can easily become XSS worms if that's what someone wants to achieve.

Adding a second layer of protecting for the end users, with the first one being the site's own responsibility for self-auditing themselves, widely used Internet browsers are finally contributing to the second layer of protection, with Mozilla's Site Security Policy and IE8's Cross Site Scripting Filter, aiming to protect the user even if the site itself remains vulnerable. Let's see how long before malicious parties start bypassing the built-in protection mechanisms, and publicly demonstrate this on a large scale.

Topic: Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • The virus is impossible to find

    I see that they needed a proof of concept argument to have it studied then fixed.All computer problems stem from virus.
    BALTHOR
    • Re: The virus is impossible to find

      XSS worms propagate using a site-specific vulnerability to do so. Fixing the vulnerability disables the XSS worm, and no PoC that that XSS worm is possible is needed here since it's logically supposed to work. A PoC proves the obvious, so it's abuse of an unfixed flaw that actually proves nothing but their intentions.
      ddanchev
      • Re: The virus is impossible to find

        Hello,

        Please take note to what I have recently posted. It may shed some light upon questions rising out of the dark.

        It states that the mentionable responsible for research are NOT actually responsible for the hi-jacking (or stealing) of accounts.

        I'd appropriate positive thoughts over what is said.

        Regards,
        Nick Daniels.
        Nick.D
  • Questionable Actions

    I'm not sure if I agree with the researcher's actions. I do support security research and the "white hat" that will identify and report a security vulnerability responsibly. However, placing a XSS worm which can propagate to other users is pushing the limits in my opinion.

    Even if the worm was completely benign, what if the degree of prorogation caused the site to go done (aka samy worm at myspace)? Then the "research only worm" results in a financial loss for the company.

    Now, on the flip side, some companies will completely ignore XSS and other security issues until something like this happens. Its a tough situation the application security industry must continue to deal with.

    -Michael Coates
    http://michael-coates.blogspot.com
    mwcoates
    • Re: Questionable Actions

      Hello,

      Please take note to what I have recently posted. It may shed some light upon questions rising out of the dark.

      It states that the mentionable responsible for research are NOT actually responsible for the hi-jacking (or stealing) of accounts.

      I'd appropriate positive thoughts over what is said.

      Regards,
      Nick Daniels.
      Nick.D
      • Re: Questionable Actions

        Nick,

        I understand that the researchers did not actually hi-jack any accounts nor did they compromise any data.

        From what I understand, the researchers released a self propagating worm via XSS to demonstrate the vulnerability. They performed this action without first obtaining permission from the site. (please correct me if either of these assumptions are incorrect)

        Consider the samy worm at myspace (http://ha.ckers.org/blog/20070319/samy-worm-analysis/). The issue wasn't that sensitive data was compromised or accounts were hijacked. The problem was the massive spread of the worm. In the end, myspace went down.

        My main issue here, is that this could have gotten out of hand and resulted in some major issues for justin.tv. While this may not have been likely, I don't think we should direct responsible security research down this path.

        If anyone is aware, I would be interested in hearing what precautions the security researchers took to control the spread of the worm.

        -Michael Coates
        http://michael-coates.blogspot.com
        mwcoates
  • [N] Shedding light upon truth.

    For informative purposes, please take note that Justin.tv was subjected to multiple Cross-Site Scripting attacks prior to the listed dates.

    A recent 'Town-Hall Meeting', cleared all these questions up; says Justin.tv Staffers the Security Team responsible for research were NOT responsible for the hi-jacking (or stealing) of accounts.

    The individuals which were subject to the releasing of the Cross-Site Scripting worm have to this date made agreements with Justin.tv.

    Regards,
    Nick Daniels.
    Nick.D