If you have come to this page reading about Google's cool new features, relax. You have fallen prey to Google's April Fool Pranks. Every year since 2000, Google has announced various pranks on April 1st. I just researched them and made a fictitious story around it.
But how did it show up in Times Of India?
That's the purpose of this article.
Cross Site Scripting & TOI
Cross Site Scripting, or XSS, is a vulnerability that allows an attacker to introduce malicious javascript or html code into a webpage. The wikipedia article on XSS, the OWASP website, and the XSS Cheat Sheet by R Snake are excellent places to learn more about this menace.
The Times of India website has XSS vulnerabilities all over the place, making it trivial to find a loophole. So, to make the fake article, I just exploited a vulnerability to inject an IFrame into the source. The Iframe points to this page, which is hosted on 530geeks.com. To the end user, of course, it looks like Times Of India is hosting the article.
Someone with malicious intents can do much worse things. They could write an article in Times of India saying IPhones have become cheaper in India, then link to Indiatimes Shopping website (which also has XSS), and ultimately steal your credit card number. Or they could steal your credentials and gain access to your indiatimes email.
So what is Indiatimes doing about it?
Unfortunately, nothing.
I tried to contact Indiatimes and Times of India several times via their 'Contact Us' Page, and via emails. For the past 20 days, I have been waiting for a response, but haven't heard anything from them.
Hopefully, if all of us write to them, they will start fixing these bugs.
Thanks for reading!
Thursday, 4 February 2010
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment