Small Business Attack – Cross Site Scripting
On September 23rd, LiveJournal was attacked. The attackers used flash. When the flash file was loaded, it ran within the context of the user who was logged in and made changes to recent posts. This allowed the attack to spread friend-to-friend. It also harvested email addresses.
Doesn’t sound like much, does it? After all, it’s basically a flash virus that steals email addresses, right? What’s new there?
Well, let’s look at the one thing that makes LiveJournal a successful site. At it’s core, it allows users to post content and share links with one another. In order to block the attack, the admins had to effectively break the site until they tracked it down. The one thing that LiveJournal requires is the same thing that the attacker was able to use to get in. In fact, given what it does, there may not be a way to secure the system and still give users what they want.
OK, then, suppose you accept the fact that you’re going to be successfully attacked. How do you protect yourself?
It’s interesting to note that the attackers just wanted email addresses. Odds are that they could have gotten other things too. However, since many people publish their list of friends, it would be trivial to link those email addresses to other email addresses. Now, if you have a database of email addresses and the email addresses of people that are their friends, you have just what you need to run a phishing attack.
Do you allow your customers to post content on your website? Do you use any websites that allow you or your associates to post content? How are you protecting your data?
Note: since I wrote this post, but before it was posted, Reddit was similarly attacked.