.comment-link {margin-left:.6em;}
Xavier's Security Post
Saturday, July 29, 2006
  Service includes: One Banner, Lots of clicks, One Attack Vector!
As I pointed out before (in Your Space, My Flash, His Cookies) there are companies out there--even the high profile ones--which are accepting of vulnerable advertisement code. To understand why companies are willing to open up attack vectors on their servers, one has to look at the beginning of it all.

Lets say you just thought of a radical new social-site idea that will make you rich! you start working on the site as a hobby, it turns into a project, and word starts going around to your friends. Feedback is coming into the mix, and now you're at a point where you are signing up with every social-site out there. You're researching their pros, their cons, you hire some consultants (or if you're broke, you'll ask friends) to evaluate your potential competitors.

Now you have extracted all the good, and have retracted all the bad from those sites. Your site goes live, and users start to come in. You start verbally (or textually) getting the word out. Your site has new spanking ideas! It's where all the cool cats hang out on! "It's faster, sleeker, and quite sexy!" you say. Your users are now exceeding ten thousand, and you note that its time to start making money from your investment.

You do some research on your own and decide to either use some service like AdSense, or consider accepting any advertiser who is willing to pay you top bucks for your horde of users. You go with the latter, and after some time some advertisers come your way. As time progressed you decided to put up one of those professional-looking "Advertise with us!" pages. Within you have some rates, or a contact form--along side banner sizes, or even examples of creating a Flash banner. Here is where the first issue arises;
[1] You copy and pasted some ActionScript code for a Flash advertisement scheme that was on some social-site competitor.
You were in a rush and did not research into the possibility that code was vulnerable. That is one vector you opened.

Advertisers have been in contact with you--many of them willing to spend big bucks too--so of course your idea has been a success, bravo. Your user count is five hundred thousand. The site is getting notoriety, the users are becoming obsessed, and the advertisers are throwing funds at you. Until the drama starts.

An attacker discovered an XSS hole in one of the forum pages. He was able to quietly steal the cookies of every user who went to a certain popular site. He first started his conquest by stealing a few vanity accounts--those with cool usernames like "lust" or "security"--then he started trading them, selling them. The attacker was upset one day by a clique of users, and he subsequently, had all of their accounts deleted (thanks due to that nifty self-delete button you added in a rush). Complaints pour in, security researchers discover the attack and report on it. Your precious site is getting a bad rap about security issues. More attackers are attracted to the site. Now you have fuzzing bots searching for holes in every possible variable, users bashing the site on its own forums, and potential advertisers start flocking to your competitors.

You're smart though, right? you managed to create a successful social-site and that itself is not too much of an easy task nowadays. You spent hours combing through your source code--you found several nasty holes and had them patched. In between the drama you were able to utilize the free press you received to unveil a new feature to the site and everybody is googoo over it. Advertisers start coming back, and the show is back on the road.

Then one day, in between one to several million users registered, you get a request from an advert to host a Flash banner. It's not an odd request, as it is nothing out of the ordinary. Instead of requesting the source code to the file, you throw into queue. It should only circulate to a certain amount of users, then it comes right off. "What's the point?" you ask yourself before moving onto another equally important topic. The banner goes live, users see ads, others see popups, and a chunk of your users are suddenly infected with malware.
[2] You uploaded a Flash file to your server without verifying the contents within
Not only did you open up an attack vector on your own server, but you compromised your idea entirely for financial gain, and alienated your users.

To get outside of the scenario aforementioned above--the situation itself is a mix between the worms that have been hitting Facebook, MySpace among plenty of others. In fact as recent as this month MySpace allowed an advertiser to upload an arbitrary Flash file which exploited a Windows vulnerability, installed malware on its users, and alienated not only its users, advertisers, investors, but also Netizens who will be extremely wary of going to a site that is potentially arbitrary.
 
Comments: Post a Comment

Links to this post:

Create a Link



<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

RECENT RELEASES
Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

ARCHIVES
September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /