Version: 2008

Comments on: Attackers booby-trap searches at top Web sites

Growing number of sites are affected including USAToday.com, Target.com, Walmart.com, and several sites owned by CNET Networks, the publisher of News.com.

Add a Comment (Log in or register) (13 Comments)
  • prev
  • 1
  • next
This is frightening
by Leria March 29, 2008 5:33 AM PDT
And I am wondering how these crackers were able to pull this off, without anyone noticing that there was 'extra code' in the search results.
Reply to this comment
How it was done - short answer
by kLevkoff March 31, 2008 2:19 PM PDT
The short answer is that, apparently, a BUG in the search engine code allowed the hackers to substitute their own fake result pages for the legitimate ones in the outgoing cache for the search engines in question. So, when you sent a query that had been recently done before, and the site returned the copy of your result page in their cache to save time and effort, they instead returned the fake one provided by the hackers. This substitution was achieved using some sort of security FLAW in the web site or search engine code itself.... a flaw which SHOULD have been discovered and fixed if the software was properly tested.
The neighbors will be calling...
by kojacked March 29, 2008 10:10 AM PDT
Great! Another weekend of fix every computer in the neighborhood...

Instead of the government looking to tax us for music on behalf of the RIAA how about they use OUR money to catch and imprison these guys instead?
Reply to this comment
Use Firefox With Noscript
by Stating March 29, 2008 10:19 AM PDT
This is why I use Firefox with Noscript. By default any new site I visit has Java, Flash, etc. disabled.
Reply to this comment
Firefox
by eingram1 March 29, 2008 4:54 PM PDT
Yes, but think of all those entertaining ads you're missing
View reply
Great Tools
by umbrae March 30, 2008 9:08 AM PDT
NOSCRIPT and COOKIE SAFE are great plugins for Firefox. Only problem would be whitelisting a site that is compromised. SO be careful what you whitelist and when.
This is true
by millionmade03 March 30, 2008 7:31 PM PDT
i have used no script on my Firefox and i have not seen any spy ware on my computer since also i have been using no script for almost a year. I just don't need to run it in Linux just on my "windows" systems
I dare you to get people to do that
by ejevo April 2, 2008 1:29 PM PDT
Most web surfers won't last 5 minutes with NoScript, Flashblock, etc. all in place and preventing content from appearing. Most web sites lose important functionality when those items are in place. Protected? Sure. Usable and practical? Sadly, no.

We need a better way.
Need to pull arms and legs off of hackers
by WJeansonne March 30, 2008 7:54 AM PDT
while they are still alive to set an example. These evildoers need to be siezed with an eye for eye.
Reply to this comment
iFrame injection - just FIX the BUG
by kLevkoff March 31, 2008 2:09 PM PDT
I agree that the people who launch these big attacks should be retaliated against - and ninjas with black masks and poisoned darts seem quite appropriate to me - preferably in the dark of night with orders to leave no survivors.

The fact remains, however, that they are only able to do this because the web site software is BUGGY. I am tired of hearing about "scaling defenses" and the like, followed by all sorts of questions about "blocking the attacks". The "defense" is to fix your code so the bugs are no longer there, then apply enough QUALITY CONTROL to prevent it from happening again. This is happening because of a BUG; inputs are apparently NOT being properly and fully validated, which is something that any decent programmer supposedly learned to do in school. What's to scale - replace the defective code containing the exploit with new code that works correctly and the problem is gone!
Reply to this comment
Who's the victim, and who's the problem?
by kLevkoff March 31, 2008 2:15 PM PDT
I agree that the perpetrators are, well, the perpetrators, but I believe that a major portion of the blame rests with the Web sites - after all, it IS their defective code that allows this exploit to work. Virtually every posting I've seen seems to ignore the fact that none of this would have happened if the code used by the Web sites themselves was well written, well tested, and working properly.

The bad guys were able to get in because basic security precautions, the kind that any first year programmer SHOULD be aware of, were apparently not correctly implemented in the code. The Web sites attacked were NOT "innocent", they were neglectful and they ARE partly to blame.

If the sites were using search engine code written by someone else, then the creators of the code are responsible for selling or providing defective and insecure code, and the sites themselves are responsible for using code without testing it - and risking the security of their customers as a result of their sloppiness.....

Lets stop talking like they did everything right and got "blindsided" by this.....
View reply
(13 Comments)
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

advertisement
advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET