sâmbătă, 5 mai 2012

Hacker Finds XSS on Torrent and US National Institutes of Health Sites

A number of torrent sites, along with the ones of the US National Institutes of Health and the National Endowment for the Arts have been found to contain cross-site scripting (XSS) vulnerabilities by the hacker known as Gambit.

The list of torrent sites includes, as shown in the screenshots, torrents.net, pnop.com, usniff.com, and torrenthound.com.

“Well after finding most if not ALL of the non-persistent and persistent XSS's on Kickass Torrents(8-10 in total) and getting $100 from them, I decided I would go on the hunt for XSS's on other torrent sites,” the hacker wrote.

“When I ask if they offer rewards like FB, Google, and some torrent sites, I either get a response of ‘We don’t offer rewards but would be grateful if you disclose the vulnerability’ or ‘We don’t take kindly to being blackmailed’ - that response was from ISOhunt.

“They were just a bunch of [expletive]. All I did was ask about a reward and get accused of a federal crime? They can goto hell. But more often than not I do not get a response at all.”

Besides the vulnerabilities identified on the torrent sites, Gambit also discovered some vulnerabilities on the site of the National Heart Lung and Blood Institute, part of the National Institutes of Health, and on the one of the National Endowment for the Arts.

“Here [in the POC file] are some .gov XSS's, these have not been reported because as I've stated before, I do not and will not report vulnerabilities to governmental bodies,” he explained.

The legitimacy of torrent sites may be questionable, but the real issue here is that a large number of Internet users visit them each day and such simple XSSs can put them at risk.

With the government sites it gets even more serious. While on torrent sites internauts may expect to be presented with a lot of advertisements and shady redirects, when surfing US government websites regular individuals tend to trust the content they are presented with.

This means that the chances for phishing, or other malicious operations, to be successful on these sites are fairly high.

XSS on National Endowment for the Arts
Enlarge picture
XSS on Torrent Hound
Enlarge picture
XSS on usniff.com
Enlarge picture

Enlarge picture
XSS on Torrents.com
Enlarge picture

Niciun comentariu:

Trimiteți un comentariu