, Newsbytes 2002-05-30
Security flaws in e-mail features at several popular news sites could have been exploited by "spammers" or used to spread false information, a security specialist cautioned today.
The features, designed to allow visitors to share articles from the news sites with other Internet users, could have enabled unauthorized outsiders to relay messages through the news providers' e-mail servers, according to a Boston-based security expert, who identifies himself by the nickname "Zeno" and operates the CGIsecurity.com Web site.
Besides sending junk e-mail that would appear to come from the news providers, an attacker could have exploited the security holes to distribute bogus articles and spread false information, said Zeno.
A spokesman for USAToday.com, which was also warned of a vulnerability to such relaying attacks, said the company was "always looking at ways to make the site more secure." But the spokesperson did not provide more information about USAToday.com's plans to address the issue.
According to Zeno, it is likely that other news providers are similarly vulnerable. Many news sites provide special links within articles to allow visitors to send the article's address, along with a short excerpt, to other Internet users.
The four vulnerable sites all relied on a program known as a "CGI script" to compose special Web pages that gather information from visitors who use the email-a-friend feature. By viewing the source code to the pages, an attacker could determine how to send e-mails directly through the news sites' mail servers.
The resulting messages would contain routing or "header" information that indicated they originated from within the news company, and would not reveal the attacker's identity or Internet address.
Last year, a related flaw at CNN.com temporarily enabled users to e-mail links to external sites and to have those sites be tallied in CNN's listings of the most popular articles.
A prankster exploited the flaw at CNN.com in Oct. 2001 to spread a hoax about the death of pop singer Britney Spears. By creating a mock-up of a CNN.com Web page at an external site and using a quirk in how Web browsers handle special addresses, the prankster apparently fooled thousands of people into thinking Spears had died in a car accident.
Vulnerabilities in the Web publishing systems at some news sites have also left them prey to what experts refer to as "subversion of information" attacks. In September 2000, an unidentified attacker changed an article about the arrest of a hacker that was published at the Web site operated by California's Orange County Register. And last year, a security gadfly named Adrian Lamo demonstrated how he could alter articles published at Yahoo News.
In March, Point Blank Security warned several top news organizations that they were vulnerable to "cross-site scripting" attacks. Such attacks can enable malicious third parties to create Web pages that appear to come from the vulnerable site but are in fact hosted on a third-party server.
While some of the sites have corrected the scripting flaws, several are still vulnerable, including CBSmarketwatch.com, OCregister.com, Bbc.co.uk, Boston.com, and Businessweek.com.
CGIsecurity is at http://www.cgisecurity.com .
Point Blank's advisory on cross-site attacks is at http://www.pointblanksecurity.com/css .
Reported by Newsbytes, http://www.newsbytes.com .
