Home » Data Protection » Application Security

Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

By Scott Berinato

Page 8

"In some ways," RSnake says, "there is no hope. I'm not comfortable telling companies that I know how to protect them from this."

A WAKE-UP CALL for websites

Around breakfast one day late last August, RSnake started a thread on his discussion board, Sla.ckers.org, a site frequented by hackers and researchers looking for interesting new exploits and trends in Web vulnerabilities. RSnake's first post was titled "So it begins." All that followed were two links, www.alexa.com and www.altavista.com, and a short note: "These have been out there for a while but are still unfixed." Clicking on the links exploited XSS vulnerabilities with a reasonably harmless, proof-of-concept script. RSnake had disclosed vulnerabilities.

He did this because he felt the research community and, more to the point, the public at large, neither understood nor respected the seriousness and prevalence of XSS. It was time, he says, to do some guerilla vulnerability disclosure. "I want them to understand this isn't Joe Shmoe finding a little hole and building a phishing site," RSnake says. "This is one of the pieces of the puzzle that could be used as a nasty tool."

If that first post didn't serve as a wake-up call, what followed it should. Hundreds of XSS vulnerabilities were disclosed by the regular klatch of hackers at the site. Most exploited well-known, highly trafficked sites. Usually the posts included a link that included a proof-of-concept exploit. An XSS hole in www.gm.com, for example, simply delivered a pop-up dialog box with an exclamation mark in the box. By early October, anonymous lurkers were contributing long lists of XSS-vulnerable sites. In one set of these, exploit links connected to a defaced page with Sylvester Stallone's picture on it and the message "This page has been hacked! You got Stallown3d!1" The sites this hacker contributed included the websites of USA Today, The New York Times, The Boston Globe, ABC, CBS, Warner Bros., Petco, Nike, and Linens 'n Things. "What can I say?" RSnake wrote. "We have some kick-ass lurkers here."

Some of the XSS holes were closed up shortly after appearing on the site. Others remain vulnerable. At least one person tried to get the discussion board shut down, RSnake says, and a couple of others "didn't react in a way that I thought was responsible." Contacts from a few of the victim sites—Google and Mozilla, among others—called to tell RSnake they'd fixed the problem and "to say thanks through gritted teeth." Most haven't contacted him, and he suspects most know about neither the discussion thread nor their XSS vulnerabilities.