99 percent of About.com links vulnerable to XSS, XFS iframe attack
About.com has a huge security problem, but it's likely worse for the over 98 million monthly visitors to the About Group's various topic-specific subdomains.
A security researcher disclosed Monday that "at least 99.88%" of all topic links and all domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks.
According to the researcher's findings and proof-of-concept results, all subdomains of About.com are affected.
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS) at Nanyang Technological University (NTU) in Singapore disclosed the massive vulnerabilities -- essentially attack vectors that About.com is distributing to its unwitting visitors -- on Sunday, Oct 19, 2014 but Jing received no response.
"Until now," he said at the time of his public disclosures Monday, February 2 -- over three months later -- "they are still unpatched."
Jing added, "Simultaneously, the About.com main page's search field is vulnerable to XSS attacks too. This means all domains related to About.com are vulnerable to XSS attacks."
Last but not least, some "Open Redirect" vulnerabilities related to about.com are introduced. There may be large numbers of other Open Redirect Vulnerabilities that are not detected.Since About.com is trusted by some the other websites, the vulnerabilities can be used to perform 'Covert Redirect' attacks to other websites.
XSS: Intriguingly versatile -- and really bad
XSS is listed in OWASP's 2013 top 10 of evil, or rather, 2013's Top Ten Application Security Risks.
Because these kinds of attacks go after the user rather than a server or application, the vulnerability on About.com's subdomains put all visitors at risk of attacks that can steal data (like cookie information, saved logins, and identity theft); take control of a user's session in a different tab; run malicious code (even on your home router); access clipboard contents; get access to free or paid content; access your network; or be used as part of a phishing scam.
- See also: Veracode's XSS Cheat Sheet
Security researchers reading this will be keen to know that the About.com attacks are open to anyone.
XSS attacks are a staple in both research and crime; XSS attacks have been around since the Internet was young, and are regularly used by penetration testers when helping websites and organizations beef up their security.
But they're cancer for the ordinary user's security.
Jing said, "For the Iframe Injection vulnerabilities, [they] can be used to do DOS (Denial-of-Service Attack) to other websites, too."
The researcher explained (bold added by ZDNet for emphasis),
Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. This means no more than 0.125% links are not affected.
At least 99.875% links of About Group are vulnerable to Iframe Injection attacks. In fact, for About.com's structure, the main domain is something just like a cover. So, very few links belong to them.
Due to the critical, and large-scale nature of the issue, Jing created a detailed report and proof of concept documentation (including the video below), and disclosed the problem on his blog, the blog Security Pitch, and Jing's Twitter feed.
If you think About.com is some GeoCities-era relic from the past no one looks at anymore, think again: About's 1000+ topic subdomains are Wikipedia competitors, which according to Traffic Estimate, saw its overall traffic hit more than 98.5 million unique visitors in January 2015.
According to Jing, the vulnerabilities can be attacked without user login and work across all the popular browsers.
For Jing's XFS and open redirect attacks, "Tests were performed on Microsoft IE (10.0.9200.16750), Windows 8, Mozilla Firefox (34.0), Google Chromium 39.0.2171.65-0, Ubuntu (14.04), and Apple Safari (6.1.6 of Mac OS X Lion 10.7)."
For Jing's About.com XSS attacks, "Tests were performed on Mozilla Firefox (26.0) in Ubuntu (14.04), and Microsoft IE (9.0.15) in Windows 7."
On the Full Disclosure list he included, "The vulnerability occurs at About.com 'offsite.htm' page with "zu" parameter," and included several vulnerable URLs and PoC URLs in his disclosure posts.
All links under the topics of about.com can be used for this attack.Just attach "/lr/" to any About.com's sub-domains. Then attach "any codes + sciript" or attach "script" code directly is OK.
The structure is (...)
OWASP defines the attacks as:
In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page.XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a Cross Site Scripting Flaw to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw.
In the first of ComputerWeekly's excellent series on application-layer attacks, Michael Cobb writes, "XSS attacks work even if the site is viewed over an SSL connection, because the script is run in the context of the "secured" site, and browsers cannot distinguish between legitimate and malicious content served up by a Web application."
User defenses against XSS and XFS attacks are little outside of avoiding the vulnerable websites, and practicing good privacy hygiene such as not allowing your browser to 'remember' your logins and passwords, blocking as many tracking cookies as possible, keeping sensitive data in encrypted storage, and frequent login/password changes (especially with critical accounts, such as banking and medical sites).
ZDNet has reached out to About.com for comment and will update this post accordingly.