Major companies, including several banks, have left themselves wide open to an online scam that could see malicious hackers get hold of thousands of people's personal and confidential details, including their bank account and credit card details.
Those affected include Barclaycard, Mastercard, NatWest, WorldPay, Reuters, Sky, even the UK's government listening post, GCHQ. Many hundreds of other sites are likely to be similarly affected.
UK security researcher Sam Greenhalgh has gone public to reveal the extent of the problem where someone can set up a fake Web page to look exactly like a company's website and contain whatever content they want - but that page actually appears on the company's own website.
The implications are alarming. Banks and the UK government have recently warned about so-called "phishing" attacks where hackers con people into believing they are visiting one website when they are actually at another. Prompted for a request to input their financial details, the hackers then use this information to rip off the unfortunate punter.
However, while that scam can be discovered by an observant Net user, this new security problem will see that same page actually appear on the company's real website. It is done by taking advantage of a cross-site scripting (XSS) vulnerability. The exploit makes use of dynamically generated Web pages created using user input - for example, a search page.
The attacker sends a Web link containing bogus search terms or other user input that contains malicious code. If the site fails to validate the input properly, the code itself is run and a fake Web page reproduced that appears to come directly from the company itself. As Greenhalgh summarises: "The genuine site is itself manipulated to display spurious content, rendering it almost undetectable to the victim."
And to prove his point, Greenhalgh has set up various demonstrates on his own website that make use of the XSS hole. Clicking on one brings up a complete reproduction of the company's Web page but with his own content on it. You can view them here. Techworld verified Greenhalgh's demonstration on a fully-patched Internet Explorer, Mozilla Firefox 0.9.1 and Apple's Safari, on Mac OS X and Windows XP.
[Note: As of 10am, Tuesday 20 July, the Barclaycard and Mastercard links do not work. Whether the companies have plugged the hole or simply prevented Greenhalgh's link from working we can't tell at the moment.]
XSS is not a new technique, which makes it all the more serious that major sites are still vulnerable, according to security experts. "This is a very old idea - XSS was talked about before phishing became a big problem," said Thomas Kristensen, CTO of Danish security firm Secunia. "This is a very powerful vulnerability, and website owners should be careful of it. It could undermine the trustworthiness of their sites."
XSS attacks work on SSL sessions, which could give attackers an additional advantage. "The technique offers fraudsters the enticing opportunity of having a phishing attack delivered over SSL with the attacker's code being served as part of a URL from the bona fide bank's own secure server," said Mike Prettejohn, president of Web analysis firm Netcraft, in an analysis of the issue.
Secunia's Kristensen agreed that the main advantage of XSS phishing exploits is how authentic they could be made to seem. "If the user is vigilant, and verifies the identity of the site by examining the SSL certificate, the attacker is still able to steal information," he said.
The technique hasn't yet been exploited for phishing purposes, but Prettejohn believes it is just a matter of time now that the vulnerability has been pointed out on high-profile sites. It could be exploited in the same way as spoofing-based phishing scams, by convincing a user to access a trusted site via a link in a persuasive spam email. Users can ensure their safety by typing in the URL manually or reaching it via a trusted source such as a search engine, Kristensen said.
XSS is not primarily a software problem, but an issue with Web design, researchers say. Preventing script injection attacks is the responsibility of Web site programmers, who must validate any user input and weed out dangerous scripting and HTML. Validation is simple, but is all too often overlooked, researchers said.
"Web programmers can prevent most cross-site scripting attacks by validating form input, and ensuring that all user data is correctly encoded before it is displayed or stored," stated Prettejohn. "'Never trust user input' is a basic security tenet designed to reduce the risk posed by Web forms."
There are certain limitations that make XSS techniques less attractive to phishers than spoofing, Kristensen said. First, it requires some effort and expertise to uncover vulnerabilities on trusted sites, although these are sadly "common", according to Kristensen. Second, since the vulnerabilities are server-based, they can be fixed more quickly than client-based bugs.
As Greenhalgh points out on his site: "Script injection is easy to protect against. Protecting a website against these attacks takes nothing more than a little forethought from its developers."