We all know that the increasing sophistication of technology opens up literally dozens of new opportunities for those wanting to inflict harm on that technology’s users. The Internet is, if anything, an object lesson for this truism. Once the Internet became mainstream, so to did viruses, spybots, DOS attacks, and all the other nastiness we collectively refer to as malware. One long term weaknesses in the security armor of the Internet is cross-site scripting (XSS). For the better part of a decade it has for Internet users left a door wide open to an unwanted destructive potential.
XSS is merely code that is shuttled between senders--users or web pages, and receivers--other web pages. XSS often takes the form of JavaScript, which a web page uses to direct a receiving computer to act. XSS is mostly commonly used on dynamic web pages which respond to a user’s initial input. XSS is also potentially easy to stop, through the use of input validation, but such validation isn’t always implemented effectively, if implemented at all.
Michael Sutton, the vice president of security research at Zscaler, says that XSS typically needs a user to click a link, such as those that appear in spam or phishing efforts, which then strikes back at the user. But, he continues, XSS is becoming more sophisticated. Rather than being limited to a user-web site interaction, Sutton says that XSS efforts can now work within a web platform, such as a social networking environment, spreading itself readily among all users in the social network’s ecosystem.
Sutton also says that such sophisticated attacks, so far, have been by “[b]ored and bright individuals...tinkering with the concept”, and that “true criminals wait on the sidelines ready to move in when traditional techniques fail to achieve desired goals.” Translation: another malware threat to be concerned about. Not today, perhaps, but definitely tomorrow.
Solutions aren’t all that difficult. Users could quit doing stupid things. For instance, if you don’t know where an email originated, don’t click the link it contains. But, let’s face it, there’ll always be one or two of us who do it anyway. Which means that another level of protection is needed. Sutton says that’s got to be developers--they need to be more vigilant about writing into code the necessary protections for web programs, such as Microsoft has done with Internet Explorer 8.
It’s not uncommon to see a free iPad scam pop up in your Facebook feed, but the latest apparent hack is a little more about shock than profit. An as yet unknown attack appears to be flooding some users’ feeds with images of gore and pornography. Facebook has acknowledged an increase in reports of such content, ans is investigating.
