NEWS CATEGORIES:

NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>

Home > News > Security > Incidents

Incidents

Multiple MPAA and RIAA Websites XSSed

Movie ratings can be altered and other rogue content loaded

By Lucian Constantin, Web News Editor

6th of May 2009, 10:12 GMT

Adjust text size:

RIAA webiste vulnerable to cross-site scripting attacks

Vektor, the hacker who played a joke on the Motion Pictures Association of America (MPAA) earlier this week by listing The Pirate Bay torrents on its own website via an XSS flaw, has disclosed that the Recording Industry Association of America (RIAA) suffers from a similar weakness. Additionally, more MPAA-controlled websites used to search for movie ratings are vulnerable.

Vektor is a member of Team Elite, a group of programmers and security enthusiasts who disclosed cross-site scripting and other Web vulnerabilities in many high-profile websites. Its list of pwned sites so far includes the likes of eBay, Intel, McAfee, Symantec, Kaspersky, Avira and ESET. Late last week, the outfit published details about several XSS weaknesses found in the mpaa.org website.

The newly discovered vulnerability in riaa.com is similar in nature to the MPAA one, as it allows rogue IFrames to be injected into the website's pages. IFrames can be used to load content from external servers and, in order to keep in line with his earlier The Pirate Bay joke, Vektor chose to inject a listing from Mininova, another popular torrent tracker, into the RIAA website.

Furthermore, two more security risks were identified by Vektor, a full path disclosure caused by an error in the email.php script used by the website and an unprotected directory. "This is a proof of concept that proves an XSS on riaa.com website and should be taken as a joke," the hacker, who previously advised that, while exploited in a funny manner, these flaws should not be taken lightly, because they could just as well be used by attackers to serve malicious content to visitors, pinpoints.

In a simultaneous post, Vektor outlines more XSS bugs in another website controlled by the MPAA and used to search for movie ratings. No less than 12 different domain names owned by the association point to this website. "Some people say MPAA's movie rating system is useless, an inconvenience for independent distributors. A bug in their movie rating search websites makes it even more useless," the greyhat writes. "An XSS bug in all these websites allow 'smart marketers' to fake the ratings of a movie or trojan spreaders to infect website visitors," he explains.

The RIAA vulnerabilities seem to have been addressed, except for the full path disclosure error, however, the ones in the MPAA movie-rating website were still active at the time of writing this article and allowed us to take some screenshots of our own.

Movie rating forging through XSS on MPAA-controlled website

Arbitrary content injection in MPAA movie-rating website

IFrame injection in MPAA movie-rating website

TAGS:	Motion Pictures Association of America \| Recording Industry Association of America \| cross-site scripting \| frame injection \| Team Elite	SHARE THIS
Read by 4,172 user(s) \| Add comment \| Link to this article		TWEET THIS

Article rating:

Excellent (5.0/5)

7 vote(s)

Subscribe to news |

Print article |

Send to friend

SEARCH THE NEWS ARCHIVE :

Today's News | Yesterday's News | News Archive

User opinions:

Comment #1 by: r4w on 06 May 2009, 12:05 GMT	reply to this comment
Check the Distributor attribute in the last picture. It says Music And Film Industries of America (MAFIA) :D

Share your opinion:

SUBMIT PROGRAM \| ADVERTISE \| GET HELP \| SEND US FEEDBACK \| RSS FEEDS \| ENTER NEWS SITE \| ENGLISH BOARD \| ROMANIAN FORUM
© 2001 - 2010 Softpedia. All rights reserved. Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.	Copyright Information \| Privacy Policy \| Terms of Use \| Update your software \| Archive