Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blogger System Sites Used for Phishing

Zonk posted more than 7 years ago | from the careful-who-you-visit dept.

Security 33

jimbojw writes "In a recent security advisory Fortinet is reporting that due to Blogger's popularity, hackers have started to embed malicious scripts on some blogs. 'These scripts have shown up on hundreds of Blogger.com sites. In some cases, a variant of the Stration mass mailer is responsible for directing traffic to the Blogger.com sites.' CNET reports on the situation, quoting an unnamed Google representative as saying 'These are not legitimate blogs that were compromised. They appear to be deliberately set up to promote phishing, which is against our terms of service. We are investigating, and blogs found to include malicious code or promote phishing will be deleted.' The blogs in question use meta or JavaScript redirection to push traffic to a phishing or malware site. Links to the blogs are subsequently mass-mailed by infected visitors — typically via worms in the Stration family. We can only hope that this will not cause Google to remove Blogger.com's templating engine — which is both a source of its strength, and a potential liability as illustrated by these recent attacks."

cancel ×

33 comments

Phishers (0)

Anonymous Coward | more than 7 years ago | (#18378013)

Damn phishermen really get on my chimes >-(

Good old javascript (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18378069)

This stuff just isn't ever going to be fixed. Some folks may not like it, but with all these silly problems, AJAX is the new MS Windows of the 21st century.

No, that's not a troll. Just an observation that many want to cover up.

Re:Good old javascript (0)

Anonymous Coward | more than 7 years ago | (#18378117)

This has nothing to do with JavaScript. RTFA.

Re:Good old javascript (1)

celardore (844933) | more than 7 years ago | (#18378319)

The summary says different.

The blogs in question use meta or JavaScript redirection to push traffic to a phishing or malware site

I did not RTFA.

Re:Good old javascript (0)

Anonymous Coward | more than 7 years ago | (#18380673)

The meta refresh tag does not require JavaScript. JavaScript isn't the source of this security problem.

Re:Good old javascript (1)

Vexorian (959249) | more than 7 years ago | (#18378813)

I am afraid I'll have to agree 100% with that statement, sorry guys.

Re:Good old javascript (1)

pkulak (815640) | more than 7 years ago | (#18378951)

How is adding a refresh meta tag to HTML "AJAX"?

Re:Good old javascript (1)

cheater512 (783349) | more than 7 years ago | (#18381447)

Javascript its isnt insecure. Its showing vulnerabilities with the blogger.com system not Javascript.

Where is the security flaw in location.href? There is none.

Phishing with Worms? (5, Funny)

ehaggis (879721) | more than 7 years ago | (#18378071)

That seems about right.

Re:Phishing with Worms? (1)

daenz (1066304) | more than 7 years ago | (#18389195)

yup. only that in this case, we become the "phishes"..

SPAM (2, Interesting)

mastershake_phd (1050150) | more than 7 years ago | (#18378105)

Not to mention blogs set up just to be filled with spam. Google must give these popular sites some leeway, before delisting them.

What's Next? (3, Funny)

andrewd18 (989408) | more than 7 years ago | (#18378121)

What's next, hacking a release server and modifying tarballs so blog updaters everywhere become vulnerable? Oh, wait...

They did what? (4, Insightful)

voice_of_all_reason (926702) | more than 7 years ago | (#18378127)

These sites allow you to include script? What were they thinking?

Anybody home, McFly?

Re:They did what? (2, Informative)

Lumpy (12016) | more than 7 years ago | (#18378169)

Lots of people have legitimate uses for Jscript on the website, AND google's own adwords relies on jScript to work.

Honestly all they need to do is make the template engine scrub any script that does redirects or nasty tricks like opening popups on load.

Re:They did what? (1)

drinkypoo (153816) | more than 7 years ago | (#18378477)

Honestly all they need to do is make the template engine scrub any script that does redirects or nasty tricks like opening popups on load.

That's not as easy as you think it is. If the javascript is sufficiently obfuscated then it will require a fairly complete environment to detect such tricks.

I personally think it makes more sense to just not allow people to use the template engine until they've had a functioning blog with actual readers for at least a month, maybe longer.

Re:They did what? (2, Interesting)

evought (709897) | more than 7 years ago | (#18379317)

In relatively early versions of TCL, they had the ability to create a sub-interpreter. The controlling interpreter could then populate the sub-interpreter with whatever commands and environment were deemed safe and create limited connections between the interpreters. Scripts running in the sub-interpreter simply did not have access to anything else. We used this to execute user scripts and configuration files in secure setups where anything coming in from the outside could be considered suspect. This could easily be done with javascript where untrusted pages/scripts would run in a limited sandbox. It was not terribly inefficient, either (against the interpreter overhead) and could even be nested. The page itself could even request such treatment, or an otherwise trusted page could request it for certain blocks of code. This pushes the actual security responsibility to the interpreter where it arguably belongs anyway. The client could decide it doesn't like the whole page and run it all in a sandbox.

Overall, I think javascript is much overused and abused for what should be simple content.

Re:They did what? (1)

Dachannien (617929) | more than 7 years ago | (#18378525)

Lots of people have legitimate uses for Jscript on the website

Yeah. It wouldn't be Web 2.0 without onMouseOver, would it.

Still, I guess it's better than embedding fifty Flash widgets on the page just for navigation.

Re:They did what? (2, Insightful)

maxume (22995) | more than 7 years ago | (#18378657)

OnMouseOver was Web 1.5. The :hover pseudo-class is Web 2.0.

Re:They did what? (1)

voice_of_all_reason (926702) | more than 7 years ago | (#18378575)

Lots of people have legitimate uses for handgrenades, but your landlord will probably not allow you to start setting them up in your apartment.

As to point 2, won't people just come up with new nasty tricks if some are blocked? Blacklisting won't work here.

Re:They did what? (2, Insightful)

Josef Meixner (1020161) | more than 7 years ago | (#18379215)

Honestly all they need to do is make the template engine scrub any script that does redirects or nasty tricks like opening popups on load.

If you find a way to do that, you will also have solved the halting-problem, in other words, that is nearly impossible to do.

There is only one way which might be safe, supply finished javascript functions to the users to use and make it impossible to define new functions. Even that might be dangerous.

Re:They did what? (1)

Lavi Dave (1076727) | more than 7 years ago | (#18378857)

Well, I hope to God they can fix this without changing it too much. With the right coding, you can do damn near everything you can with a database-backed webserver.


I mean, why pay for hosting with this kind of flexibility?

Re:They did what? (2, Interesting)

klenwell (960296) | more than 7 years ago | (#18379587)

Agreed, but the ability to fully edit the source does make Blogger more fun than a lot of other 2.0 sites and I'd hate to see it go away.

Interestingly, both Blogger and Googlepages are now Google services. Blogger is obviously meant for blogging and Googlepages for setting up common web pages, but Googlepages is a headache and Blogger offers the ability to edit the source. So if I need to set up a random web page on the web and I want it to look like I want it to look (and not have ads plastered all over it), I'll use Blogger. I don't know anywhere else on the web where I can do this.

Re:They did what? (1)

SpectralDesign (921309) | more than 7 years ago | (#18386307)

You can, in fact, edit the HTML in googlepages too... look in the lower-right corner, next to "add gadget" where it says "edit HTML" (you need the cursor in the section you want to edit.)

But I agree -- I find the blogger interface more functional, in general. I suppose it also depends on what you're trying to accomplish too, however... there's certainly a place for googlepages.

Nothing new (1)

dotancohen (1015143) | more than 7 years ago | (#18378199)

Cross site scripting has been going on for as long as there has been JavaScript. What's new in this incarnation? See http://what-is-what.com/what_is/xss.html [what-is-what.com] (disclaimer: my site)

That's a STRENGTH? (2, Interesting)

ScentCone (795499) | more than 7 years ago | (#18378223)

A template that allows people to slap a meta redirect into the header is strength that they hope Google will still respect? If you want to play those games, host your own site. The point of these blog-o-spaces is to let people do the easy stuff, not monkey with redirection. On the other hand, I can see how it might take, oh... at least 10 minutes to write a filter that would block the meta redirects on their side of things. That is a lot to ask, even in the face of being Google-blacked.

Re:That's a STRENGTH? (1)

SirTalon42 (751509) | more than 7 years ago | (#18378491)

Except you can do all sorts of nasty tricks with javascript to obfuscate the redirection and other stuff. I remember a long time ago on Xanga's blog site you were allowed to put a limited subset of javascript in one section, but eventually someone can up with a way to get around the limits (I think it involved using document.write to write more javascript code) which you could then use to steal the cookies of anyone that was logged in to visit your page (so you could access most parts of their account, except posting and a couple other things, though you could view all their posts even ones marked private/protected).

It isn't as easy as you'd think it would be.

Re:That's a STRENGTH? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18379565)

It's not meta, it's JavaScript, see: http://johnbokma.com/mexit/2006/07/13/ [johnbokma.com]
They often redirect to sites that pay for click traffic.

My best guess is that there are about 50.000 blog spot blogs doing this, although Google, after months, seems more serious at cleaning this shit up.

If this hasn't already been named... (5, Funny)

Flabio (111772) | more than 7 years ago | (#18378505)

...can we call it "phlogging"?

Re:If this hasn't already been named... (1)

kbox (980541) | more than 7 years ago | (#18378617)

I prefer "bloshing".

Been there. (2, Informative)

Shadyman (939863) | more than 7 years ago | (#18379115)

I've had numerous attacks against my site, which of course don't work because I don't allow script tags, but I've reported the target sites to their respective webhosts and registrars, and had at least a few blocked/cancelled/warned/etc. Most registrars and webhosts are more than happy to put these sites out of their misery.

mo3 0p (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18379567)

over to yyet anoth3r a change to

OMG! (2, Funny)

whorapedia.com (1070006) | more than 7 years ago | (#18379651)

What has the world come to! You spammers should all be ashamed of yourselves!!

Visit http://www.whorapedia.com/ [whorapedia.com] ... where all of your wildest dreams will come true!!

new hobby.. (1)

beando (1074553) | more than 7 years ago | (#18383547)

i guess people nowaday like to go "Fishing"..
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...