back to article Kid hackers break XSS defences, find hack hole in 2 million websites

Hackers Karim Rahal and Ibram Marzouk have found multiple cross-site scripting vulnerabilities in the HTML Comment Box that opened avenues to compromise visitors to some used by some 2 million websites. Rahal (@KarimPwnz) and Marzouk (@0xibram), both 14 year-old students based in Lebanon, reported the flaws through Detectify's …

Your article didn't seem to make it that clear what software was affected by this. Did some further looking and it a bit of software actually called "Html Comment Box" which is found at https://www.htmlcommentbox.com/

Fortunately never used it so not affected.

4
0
Silver badge

It's a Google thing. From the site: "To be the moderator for this comment box, Log in to your Google account before you copy the code."

0
0
Anonymous Coward

That's what happens when you can mix text formatting with executable code

HTML has been hopelessly broken since it allowed executable code within what should have been text formatting. A sensible mode wouldn't have allowed it, keeping it separate and enforcing the source.

9
0
Gold badge
WTF?

Good work kids.

As for skiddies at https://www.htmlcommentbox.com/

Do you actually get paid to write that s**t?

2
0
Silver badge

Cross-site scripting bugs

The root cause of these type of bugs is allowing one webpage to call a script residing on another domain, great for inserting adverts, not so great for security.

5
0
Silver badge

Re: Cross-site scripting bugs

The sad thing...

It shows just how lazy people are and how trusting they are of others. If you don't know who wrote the code, why do you trust it?

3
0
Silver badge

Re: Cross-site scripting bugs

... because they did a "Learn to be a web designer in 20 days" course and started spamming the world.

0
0

Well Done

To the two the lads in Lebanon. Hope they were well paid.

6
0
Bronze badge

XSS and CSRF along with SQLI are all preventable by good programming. the problem is any kid reckons they can nock something up by pulling one module from here, another from there and expecting them to work, without either the understanding or will to manage the interactions.

I am off on my high horse again, but if the origonal coders were worth their salt, the holes would not have been there.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017