Simon Willison’s Weblog

The Register hit by XSS

Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.

This is a classic example of a cross site scripting attack, in which malicious client-side code (usually JavaScript) is uwittingly served up by an otherwise innocent site. Usually, cross site scripting is caused by a badly written server-side application failing to properly escape data sent in a query string before displaying it on a page. This allows attackers to create links which, when followed, steal cookies or cause other nasty effects for the user following the link. Attacks on third parties with scripts served up on a target website’s pages (ad serving companies are a classic example) are less common but much more damaging as the malicious code involved will be distributed to everyone who visits that site, whether they click on a hostile link or not.

This problem isn’t restricted to ad servers; any service where web pages point to a JavaScript file hosted on an external site are potentially at risk should the external site be compromised by crackers or abused by its legitimate owner.

An aside: users of alternative browsers (Get Firefox!), as well as those who had upgraded to Windows XP Service Pack 2, were unaffected.