Fortify Software, the application vulnerability specialist, says that the cross-site scripting (XSS) security flaw reported on the Web sites of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) comes as no surprise.
"The fact that a cracker known as Vektor - a member of the Team Elite group of Web exploit publicists - was able to insert details of the well-known file-sharing site, The Pirate Bay, into the MPAA's recommended list of sites is ironic, given the MPAA's stance on illegal file-sharing," said Richard Kirk, Fortify's director.
"But the issue that such sites are open to XSS-driven incursions and alterations comes as no surprise, given the fact that so many sites are poorly programmed and therefore open to such attacks," he added.
According to Kirk, the list of XSS-attacked sites is now quite long and includes eBay, Intel, Eset, Kaspersky, McAfee, Symantec to mention but a few.
The sad reality of the world of poorly code audited and programmed site hosting, he says, is that this list is going to get longer.
As companies are pressured by the economic recession, IT security safeguards such as program code auditing and soak testing are either curtailed or axed from the development process. The result is that program code - like the hosting software seen on the above sites - goes live without being fully tested, he explained.
"Until such time as organisations get wise to the fact that they simply cannot afford to remove back-room security such as code auditing and soak testing from their portfolio of IT security defences, these types of attacks will continue," he said.
"The MPAA is lucky that Vektor's attack was a proof-of-concept one, and intended as something of a joke. The next time they - and other organisations whose sites are vulnerable to XSS-driven attacks, may not be so lucky," he added.
For more on Vektor's attack on the MPAA site: http://preview.tinyurl.com/d7utwg
For more on Fortify Software: http://www.fortify.com
Yvonne Eskenzi, Eskenzi PR
<>
MPAA/RIAA Web site security flaw ironic, but unsurprising
Seed Newsvine