The diet scam campaign has been around for weeks, abusing the bug in CNN's website

Jun 7, 2013 11:40 GMT  ·  By

An open redirect vulnerability in the website of world-renowned media organization CNN is being abused by spammers for a campaign promoting shady miracle diets.

E Hacking News has spotted several spam tweets. Here are just a few examples:

“The diet porgram you told us about yesterday is soo good! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me”

“I love myself even more after I started your diet porgram hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me”

According to E Hacking News, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.

The crooks have mentioned various celebrities and media organizations in their tweets in hope that they can get them to retweet.

Apparently, the trick worked. The rapper 50 Cent retweeted the following post to his 7.6 million followers: “@ 50Cent Your new diet has me looking good! Thanks for the info us.ard.yahoo.com /SIG=15ohh3h62/M[redacted].”

The spammy site replicates a page from Women’s Health and even abuses the popularity of the Dr. Oz show to make everything more legitimate looking.

However, as many have pointed out, the spam run is not new. It has been making the rounds for weeks, abusing the vulnerabilities from the CNN and Yahoo websites.

Today, CNN finally issued a short response saying they were looking into the issue, but the reply came only after F-Secure CRO Mikko Hypponen reached out to them on Twitter.

Which once again brings us to the question “Why don’t major organizations take security reports seriously?”

“I know some researchers have reported XSS issues to [CNN] as well and they are not fixed. Companies really should open a channel for ethical/white hat hackers or security researchers and take it into use. Now it took [Mikko Hypponen] before CNN even answered,” security expert Janne Ahlberg told us in an email.

“Security-alert@company, security@company email address is fairly easy, low-cost solution. This applies to all companies, not just CNN. Opening a channel and listening to it will pay off: there are still people who want to report vulnerabilities in ethical manner, but I don't know for how long,” he added.

“Many have moved to test only companies that do have the channels or bounty program. I'm no longer actively testing/reporting XSS, because reporting is often impossible and even if it succeeds, some companies won't fix,” the expert commented.

“Some really don't see or understand why they should. XSS is comparable to open redirect in the sense that the site itself is not a target. Does this mean that companies do not care if users are being fooled/attacked using vulnerabilities on their sites? I would like to believe this is not the case - perhaps they just have not opened reporting channel.”

In the case of CNN, things could be much worse, the expert says.

“What if the attacker would know about the alleged XSS issues on CNN? They could point the link to XSS-vulnerable page where attacker could insert FB/Twitter fake login - phishing via XSS seems to be getting more popular,” Ahlberg noted.

“If they succeed (to some extent) with a simple diet-spam, they could succeed with phishing as well. No need for anything too complex like session hi-jacking: just ask some credentials directly and many users could simply enter them. After all, the site is well-known and therefore users may trust them.”

CNN has not responded to our request for comment.

Update. Janne Ahlberg has informed us that CNN has fixed the open redirect vulnerability. However, that hasn't stopped the spammers. They're now abusing a similar security hole in ask.com.

Apparently, the open redirect vulnerability in ask.com was reported to the company back in 2010, but it's still unfixed.