CNET stops IFRAME site attacks - who's next?

Alex Zaharov-Reutt
Monday, 10 March 2008 13:59

Your IT - Home IT

Danchev quoted Symantec’s report which said: “"On March 4, 2008, reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script-injection issue, which is then being cached in Google.”

Symantec’s report continued that: “Clicking the affected link in Google will cause the browser to be redirected to a malicious site that attempts to install a rogue ActiveX control. On March 6, 2008, the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com, and MySimon.com are also affected by a similar issue."

On March 7, at 19:45 (EET), Danchev noted that: “all of the sites have their input validation checks applied so loadable IFRAMEs can no longer load or be accepted at all, despite that the injected pages are still indexed by search engines. A malicious campaign targeting high profile sites that went online and got taken care of for some 48 hours, that's good.”

Danchev asks “How was the IFRAME injection possible at the first place?”.

Danchev quotes OWASP (Open Web Application Security Project), which “lists input validation as one of the top 10 injection flaws for 2007, which in a combination with a site's SEO practice of caching pages with the injected input in the form of a keyword and the IFRAME, is what we've been seeing during the week:”

OWASP’s definition of input validation is: "Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level. Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development."

Danchev concludes by saying that: “And since I've already established the RBN connection, it would be perhaps the perfect moment to demonstrate the abuse of input validation by injecting the Russian Business Network's Wikipedia entry in exactly the same fashion the malicious IFRAMEs were allowed to be injected at the first place. The bottom line - even with the input validation flaw accepting and loading the IFRAME, this attack wouldn't have been successful if it wasn't executed in a combination with the sites' keywords caching function.”

Clearly, website security and the security of users accessing those sites is being abused in ever more clever ways. If you’re running a major website, the Russian Business Network, among other hackers, is undoubtedly probing it to see if they can hijack it, whether with IFRAMES or not.

While IFRAME attacks aren't new, Danchev’s discoveries that major sites are still under attack are a sobering wakeup call for webmasters and users alike.