How it works
A BugNet reader submitted this after he had tested this security vulnerability on a number of Web sites. We are surprised, not only with the ease of this exploit, but also with the pervasiveness of the problem. Our examination revealed that some of the biggest and well-known Web sites exhibit this vulnerability. The exploit is based on a flaw in the way Web sites handle user input allowing a malicious user to execute a rogue script from a legitimate site.
The problem is that these Web sites don't properly screen user input. So, if you searched for the phrase "", the Web site will try to get your browser to execute the JavaScript alert command. With JavaScript enabled in your browser, you will get a message box on your computer that says "Hello." This example could easily be expanded to copy files, or even cookies off your computer.
What's At Stake?
Using this vulnerability, a hacker could send out an e-mail message containing a specially constructed hyperlink to their victims. When the victim clicks on the link, his or her private "cookie" can be stolen. This would allow the hacker to retrieve personal information about the user, including the contents of his or her shopping cart.
This could also potentially give the hacker the ability to impersonate the victim online, and gain access to his or her credit card information.
Depending on the victim's security settings, this same vulnerability would allow the hacker to run rogue ActiveX controls on the victim's machine, bypassing all the usual security safeguards. This vulnerability also defeats the cross-domain security controls present in all popular browsers.
KeyLabs tests have verified the vulnerability on over 20 of the largest and most well-known Web sites. To test other sites for yourself, you can copy and paste the "Hello" JavaScript ("") into a search field on your favorite website. If the site isn't appropriately parsing its search strings, you will get the "Hello" message box on your screen. If this happens, then it's time to complain to their support departments. KeyLabs test showed that both Netscape and IE will exploit this security breech, but we want to reiterate, this is not a browser bug. It is a bug in the custom code used to grab and process user data.
Still there are things that you can do.
