When a company is hit with a cross-site scripting (XSS) attack, the natural reaction is to downplay the significance of the incident.
After all, an XSS vulnerability on a site does not mean that the site could be hacked or shut down. A typical XSS demonstration showing a funny dialog box on somebody else's site just emphasizes how harmless such an attack looks.
However, XSS is not harmless. We were just hit by one last night. And we do not want to downplay it.
The vulnerability on f-secure.com was found by security researcher Xylitol. He reported it yesterday evening. Xylitol is well-known for finding XSS vulnerabilities on sites such as army.mil, ibm.com and nasa.gov.
Above: result of accessing www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download-wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C/script%3E before the page was fixed. Screenshot from xssed.net.
We almost got it right. In fact, the script on our page does successfully filter out control characters and other dangerous content. Unfortunately, almost doesn't count. We do the filtering right once, and wrong once.
Apparently we added a feature to the page as an afterthought, and that feature did not go through code review or testing.
The problem has been fixed now. It was limited to our static Mobile Anti-Theft pages, and did not give access to any of our systems. This problem has not been used to do any harmful activities.
In any case, we were burned.
So, what could have been done with this vulnerability? Well, for example, somebody could have sent out a spam campaign, claiming to be from F-Secure, pointing to a link apparently at www.f-secure.com. And when that link would have been clicked, it would have downloaded malware (from some other site) to the user's computer. XSS vulnerabilities can be used to create serious problems. Luckily, in this case nothing bad happened.
Here's the time line of the incident:
• Xylitol published an article on the problem at early evening on 17th June • We noticed the article at 20.51 EEST 17th June • We started fixing the problem at 02.15 EEST 18th June • We shut down the Mobile Anti-Theft page temporary for fixing and isolating problem at 02.45 EEST 18th June • Page was republished at 06.05 EEST 18th June