cross-site scripting

Within days of Facebook rolling out new security features designed to block spam, several new social-engineering attacks were spreading that somehow managed to get by the company's antispam defenses.

The spammers have modified their handiwork so it will get past Facebook's scam detection system, company spokesman Fred Wolens told CNET today.

"There are new methods they've picked up after we put out the protections on Thursday," he said. "It's an arms race. We put out new protections and they come up with new campaigns...When we announced the new security features, they were … Read more

Facebook is launching several new security features today designed to protect users from malware and from getting their accounts hijacked.

First, the site will display warnings when users are about to be duped by clickjacking and cross-site scripting attacks in which they think they are following a link to an interesting news story or taking action to see a video and instead end up spamming their friends.

For example, a scam was circulating yesterday in which Facebook users were inadvertently commenting on what looked like a news site with details of the iPhone 5. Clicking on the link leads to … Read more

Researchers disclosed on a public security e-mail list today three vulnerabilities in the Web site of security firm McAfee, whose site has been found to have bugs several times before.

The YGN Ethical Hacker Group told the Full Disclosure list that it had reported the problems to McAfee on February 10 and two days later the company said it was working to resolve them. The group disclosed them publicly after noticing that they remained open this weekend--a month and a half later.

McAfee says it is aware of the vulnerabilities and is working to fix them. "It is important … Read more

Generating a news frenzy usually reserved for Apple product launches, pranksters turned Twitter into wormville this morning. The fast-spreading exploits proved two things: Twitter is undoubtedly now a mainstream service, and it's joined the ranks of big-time tech companies as a target for hackers.

Security experts interviewed by CNET say the messaging service has done a fair job of protecting itself so far, but will have to be more careful with its coding if it wants to be trusted for news aggregation, integration on corporate sites, and as a useful international communication tool.

"They're just as much … Read more

Microsoft will plug a hole in a built-in filter in Internet Explorer 8 that can be used to launch the very types of attacks on Web sites it was designed to help prevent, the company said on Tuesday.

The company will update the IE cross-site scripting (XSS) filter in June to fix a hole that researchers warned about at the Black Hat Europe conference in Barcelona last week. The researchers showed how problems with the filter could be used to inject malicious code onto sites including Google, Microsoft's Bing search site, and Twitter.

"A June release is what'… Read more

Updated 5:15 p.m. PDT with McAfee saying most of the vulnerabilities have been fixed.

Security vulnerabilities on McAfee sites, including one designed to scan customers' sites for flaws, exposed certain customer accounts and could have been used for phishing attacks in which malware disguised as McAfee software could be distributed, security experts say.

McAfee said late on Tuesday that most of the vulnerabilities were fixed, except for one part of the Web site that was taken offline to be fixed.

The McAfee sites were found to be vulnerable to cross-site scripting (XSS) attacks and cross-site request forgery attacks … Read more

Google released a new version of its Chrome browser Thursday to fix a high-severity security problem.

The problem affects Google's mainstream stable version of Chrome and is fixed in the new version 1.0.154.59 (download). Google has built Chrome so it updates itself automatically with no user intervention, though the software must be restarted for the new version to run.

The security problem, reported April 8 by Roi Saltzman of the IBM Rational Application Security Research Group, allowed cross-site scripting attacks. Such methods can make a Web browser process unauthorized code such as JavaScript, enabling a variety … Read more

The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said.

Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users' followers and modify profile pages.

Michael Mooney, a 17-year-old living in Brooklyn, N.Y., told CNET News that … Read more

Twitter security engineers were cleaning up on Monday following a series of worm attacks over the weekend, including at least two credited to a bored 17-year-old.

In the first attack, which began early on Saturday, four new accounts began spreading a worm, compromising about 90 accounts, Twitter co-founder Biz Stone wrote in a posting on the Twitter blog.

The worms appeared to do no damage other than spread to infected users' followers and modify profile pages. You can get infected just by clicking on the name or image of someone whose account was infected.

Later that afternoon, about 100 accounts … Read more