Sep
21
2010
3 Comments

Twitter Hacked – onMouseover Bug

XSS (Cross Site Scripting) vulnerability hits twitter.com.

The flaw used simple JavaScript function to call onMouseOver which created an event when the mouse is passed over an area of text. The user was then redirected to a third party site without the users consent.

Twitter’s @safety account tweeted Tuesday morning, “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.”

As of 10:00AM EST twitter issued this statement “This should now be fully patched and is no longer exploitable.”

Mashable estimates that the security flaw “has been widely exploited on thousands of Twitter accounts.”  TechCrunch reports the onMouseover exploit may have spread to as many as 40,000 tweets in just 10 minutes.

Have you seen it? How has it affected you? Let us know below.

Filed Under: Security Tagged With: ,
Sep
14
2010
1 Comment

Stack-based buffer overflow – Adobe Reader and Acrobat 9.3.4

A Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart Independent Glyphlets (SING) table in a TTF font.

This still unpatched vulnerability is actively being exploited in the wild. Exploits do not require JavaScript to be enabled within Adobe Reader and do not require write access to any directory.  Confirmed exploits against Adobe Reader 9.1.0, 9.3.0, 9.3.4 running on Windows XP, Windows Vista and Windows 7 have been reported.

Here is the exploit code in the PDF that’s circulating in the wild:

Shell Code for CVE-2010-2883

A Metasploit module is included in the most recent version. Adobe claims to be working on a fix, lets see how long…

Filed Under: Security
Sep
08
2010
1 Comment

Tracking Google Instant Partial Queries in Google Analytics

My previous post describes Google Instant and the new search results user interface. Now that folks have had several hours to play certain realizations begin to set in. What does this mean for Search Engine Optimization? What does this mean for my traffic?

All good questions in this post I will address the first question which came to my mind. What about Analytics? How do I track Google Instant partial queries? Now that Google is presenting real time or instant results, there is a high chance that the query string that gets passed to Google Analytics is incomplete or rather partial because the link was displayed before the user even completed typing the query!

For example an instant query result for “weather” may only be passing along “w” as the query parameter to Analytics since Google displays the link to weather after just typing “w”. To understand what a user needed to type to find the result they were looking for an additional parameter is being used in the result set. The parameter is “oq=” which will give you the information you are looking for.

To track Partial Queries, and their position in Google Instant, you will need to create a new profile along with a new filter in your Google Analytics Report. It is pretty straight forward; below is a sample filter you can use to start tracking.

  1. Create a new Filter name: “New Instant Ranking Filter”
  2. Set Filter type: “Custom filter – Advanced”
  3. Field A -> Extract A: Referral, ^https?://www\.google\.(co.uk|com)/(?!custom|m/).*[?#&]cd=([^&]+).*&q=([^&]+).*&oq=([^&]+)
  4. Field B -> Extract B: Medium:^organic$
  5. Output To -> User Defined: $A5 (position: $A3)

You may have to play a little with the filter for you specific requirement but this should give you a good start.

Let me know if you have any other suggestion or comments.

Filed Under: Search Engine Optimization Tagged With: , ,
Sep
08
2010
1 Comment

Google Instant – New Search Enhancement

Google LogoThe big anticipated announcement from Google this morning is “Google Instant”.

Google is moving away from the traditional HTML based results to a more robust AJAX based application for delivering ‘real’ time search results. Marissa Mayer noted that Google has already made approximately 500 changes to search ranking and user interface (UI) in 2010.

It takes a user on average 9 seconds to enter a search query followed by a few hundred milliseconds on Google’s Servers to render a search result. The user then averages about 15 seconds looking at the results. Google Instant claims to save user 2-5 seconds per query, which in turn will save 11 aggregate hours per second.

Google will display characters in black that they have typed followed by shifting grey predicted characters as the user continues to type. Why even keep the search button at this point? Well it forces Google to search for exactly what you’ve typed, without predicting how you’ll finish that search.

Instant will begin rolling out to Google domains in the US, UK, France, Germany, Italy, Spain and Russia who use the following browsers: Chrome v5/6, Firefox v3, Safari v5 for Mac and Internet Explorer v8.

For more information from Google you can visit their brief description over at:

 http://www.google.com/instant
Filed Under: Search Engine Optimization Tagged With: ,
Sep
03
2010
2 Comments

Internet Explorer 8 | Arbitrary Sites allowed to tweet

A new vulnerability and Proof Of Concept (PoC) code has been posted to the Full Disclosure mailing list. Chris Evans says:

A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits — for example — an arbitrary web site to force the victim to make tweets.

A harmless example has also been posted on his site (see below) 

http://scary.beasts.org/misc/twitter.html

This bug appears to be strictly related to Internet Explorer and no fault of Twitter. At this time there does not appear to be a resonable workaround.  This appears to be a Cross-origin CSS attack which uses the style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session.

Chris continues to state that there is evidence to suggest that Microsoft has been aware of this since at least 2008.

Update: another PoC has been posted:

http://skeptikal.org/exploits/twitter/twitter_xss.html

 

How long do we have to wait for a fix?

You can protect yourself by using NoScript, RequestPolicy, or other client-side protections.

Filed Under: Security