The Register hit by XSS
Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.
This is a classic example of a cross site scripting attack, in which malicious client-side code (usually JavaScript) is uwittingly served up by an otherwise innocent site. Usually, cross site scripting is caused by a badly written server-side application failing to properly escape data sent in a query string before displaying it on a page. This allows attackers to create links which, when followed, steal cookies or cause other nasty effects for the user following the link. Attacks on third parties with scripts served up on a target website’s pages (ad serving companies are a classic example) are less common but much more damaging as the malicious code involved will be distributed to everyone who visits that site, whether they click on a hostile link or not.
This problem isn’t restricted to ad servers; any service where web pages point to a JavaScript file hosted on an external site are potentially at risk should the external site be compromised by crackers or abused by its legitimate owner.
An aside: users of alternative browsers (Get Firefox!), as well as those who had upgraded to Windows XP Service Pack 2, were unaffected.
More recent articles
- Weeknotes: Parquet in Datasette Lite, various talks, more LLM hacking - 4th June 2023
- It's infuriatingly hard to understand how closed models train on their input - 4th June 2023
- ChatGPT should include inline tips - 30th May 2023
- Lawyer cites fake cases invented by ChatGPT, judge is not amused - 27th May 2023
- llm, ttok and strip-tags - CLI tools for working with ChatGPT and other LLMs - 18th May 2023
- Delimiters won't save you from prompt injection - 11th May 2023
- Weeknotes: sqlite-utils 3.31, download-esm, Python in a sandbox - 10th May 2023
- Leaked Google document: "We Have No Moat, And Neither Does OpenAI" - 4th May 2023
- Midjourney 5.1 - 4th May 2023
- Prompt injection explained, with video, slides, and a transcript - 2nd May 2023