infosec-news September 2010 archive
Main Archive Page > Month Archives  > infosec-news archives
infosec-news: [ISN] Symantec HackIsWack site still open to rickr

[ISN] Symantec HackIsWack site still open to rickrolling

From: InfoSec News <alerts_at_nospam>
Date: Fri Sep 10 2010 - 07:50:58 GMT
To: isn@infosecnews.org

http://www.theregister.co.uk/2010/09/09/symantec_hackiwack_rickrolled_again/

By John Leyden
The Register
9th September 2010

Symantec's hapless HackIsWack cybercrime rap competition site can still
be rickrolled, despite assurances to the contrary from the security
giant.

A web application filter was deployed to block an earlier cross-site
scripting attack, but this filter is configured to allow a YouTube video
featuring rapper Snoop Dogg, who has been recruited to promote the
project, to be displayed. That means that even though the initial attack
no longer works, unresolved vulnerabilities on the site mean that it can
still be rickrolled onto YouTube videos, as you can see here.

The apt use of Beaker from the Muppets singing Rick Astley is a fitting
tribute to the whole HackIsWack endeavour. The rap competition has the
laudable aim of raising cybercrime awareness, but is chiefly noteworthy
for security snafus that have made Symantec look rather silly, instead
of down with the kidz.

The rickrolling cross-site scripting bug was only the most publicised of
the site's flaws. Other problems included the caching of potentially
sensitive data and upload security problems, among others, according to
a write-up by security blogger Mike Bailey last week.

[...]

_______________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn