Cenzic 232 Patent
Paid Advertising
web application security lab

$1000 to Steal Data From 30% of Sites

Jake Reynolds alerted us to a link that I think is worth posting about. Apparently Joel Snyder bet Acunetix $1000 that they couldn’t steal personal information from 30% of the sites that they found. Wow… I WISH someone would bet me something like that. It’s one of the easiest challenges I’ve ever heard. Firstly, Joel is hugely missing the point. It’s not just about stealing databases (this is such an old-school way of thinking about security anyway - that information breaches have to involve penetration). It’s about users who visit the site being asked to do things or being forced to do things that will compromise their information. Oh, let me count the ways:

mhtml (IE only) as long as the site suffers from some XSS hole, I can steal any information from any website they have logged into. I would consider that a huge breach of security.

keystroke stealing: (both Firefox and IE versions) thank you, Michal Zalewski for showing us that we can steal information from user’s drive.

Clipboard stealing: (works in IE) there is all kinds of sensitive information on user’s clipboard.

Java Script port scanners: Let’s steal information about the user’s network, open up their network and see what they’ve got. You could argue this isn’t really an information breach, but if the people who work at the company view it, it could be a means to break into their company. Uh, yah, that’s bad.

phishing: Let’s not forget the old favorite. If users trust the site, they will happily input anything you ask them to. That definitely compromises user’s accounts, I’d say.

Let’s not forget about CSRF or other information leaks. Someone, bet me $1,000! Actually no, bet me $100,000, while you’re at it. Ah, hell, make it a cool million. I do get Joel’s point - there is a lot of snake oil out there these days, but saying that you cannot take people’s information from them is completely failing to understand modern security holes. Acunetix, if you want help taking Joel’s money, let me know.

14 Responses to “$1000 to Steal Data From 30% of Sites”

  1. Kyran Says:

    I just read this on /. Hehe Hey, I could use some money.

    But seriously, for once I agree with Acunetix, 70-80% of sites are vulnerable to something. I think most of us have thought this for awhile. You don’t even need a vulnerability for phishing either, which just increases the risks.

  2. Delixe Says:

    I think there’s a huge misconception with what constitutes as to what is vulnerable and exploitable.

    Based on a broad principle, I’d say the only sites not vulnerable are a great majority of plain ‘ol static HTML websites that don’t do anything dynamic. Does that account for the remaining 30%?

    I am guessing Joel was referring to a limited case in what methods you’re allowed to use such as SQL injection and XSS. There’s really a lot of methods, for this to be valid we really need to define what’s “vulnerable” and “exploitable.” What are the rules this statistic is based on?

  3. nEUrOO Says:

    I don’t think there are rules… if you can find an attack that exploit in a sense the “vulnerability” then it’s vulnerable.

    Well, the last posts (since the Acunetix news in the NYT) show something at least… we don’t even know what a vulnerability really is. Are there many types of vulnerabilities? Becausse frankly, when we talk about XSS, this is a weakness! Of course you can say vulnerability but it’s little bit blurry (at least for me).

  4. RSnake Says:

    Hmm… this is a slippery slope. If you can inject PHP is that a weakness or a vulnerability? The fact that you can inject it alone is not the problem. The problem is what you can do with it once injected. If the site is otherwise completely static, doesn’t allow egress packets other than to the requestor IP, and it’s in a chrooted jail, although the weakness is there, and you can now phish that user’s credentials (since you can output anything you like to the user seeing it) it’s not a vulnerability because no one else is harmed.

    I dunno… I for one think it’s a vulnerability if it can be used to harm anyone.

  5. Chris Shiflett Says:

    I always thought it was a vulnerability if it could be exploited, regardless of whether the exploit was damaging. That at least pushes the responsibility to the definition of exploit. :-)

    These risk/vulnerability/weakness discussions remind me of the filtering/sanitizing/validating ones, not to mention all of the alternative names being invented for CSRF.

    It sure would be nice for more consistency and simplicity…

  6. rdivilbiss Says:

    Acunetix is attempting to accept the challenge by limiting the site to just one, Network World’s; citing legal issues.

    I should think it would be simple enough to find ten website owners willing to allow their sites to be used for the challenge in exchange for assistance from Acunetix in fixing any flaws before the results are published.

    Not knowing the abilities of Acunetix’s personnel, I think Joel Snyder is wrong and would lose his $1000.

  7. Jungsonn Says:

    Yep. Acunetix really can’t make that claim, because you need prove to say that you can actually steal things from a website. Most vulnerabilities are only theoretical ones, they say nothing of the real world where one must actually do it.

    If I see an XSS vulnerability, the next thing I have to come up with is how to exploit it. If such things exists on high traffic sites like eBay, that’s a big worry. But I’ll bet alot that such companies don’t scan their site with scanners but audit code by hand.

    I can also think up theoretical vulnerabilities like: I’m sure I can steal money from 70% all local banks, that’s a theory. I might be able to buy a gun and “might” be able to steal from 1 to 10 banks before they arrest me. Would I able able to steal from 70% of all banks? I don’t know because you have to try it first.

    Theory is great, but in practice many things/plans fail.

  8. Wladimir Palant Says:

    From http://www.networkworld.com/community/?q=node/11501 : “I think that they are missing the point. […] But the question is: When you have a cookie, what can you do with it? A lot of Web sites also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs.”

    That says it all pretty much. Snyder is by no means an expert on web application security. AFAICT most sites don’t bind the cookie to your IP address because there are lots of users out there that change their IP address all the time (or the web developers are simply unaware of the problem). But even if the cookie is worthless, there is so much more you could do with XSS than plain cookie-stealing… Most of the time you won’t need the cookies, XSS allows you to make the user do whatever you need him to do. I guess on most sites you could even change the password because they don’t require you to enter the old password for this. Or change the email address of the account to your own so you can use the “Forgot password” function. If everything else fails you open the vulnerable page in a new window and make it display an almost authentic login form - a little social engineering and the user will give you access to his account. Who needs the cookie?

  9. RSnake Says:

    Hilarious read: If you aren’t following this thread, you’re missing out. Thousand-Dollar-Joel is destroying his own reputation, brick by brick: http://www.matasano.com/log/700/joel-snyder-follows-up-matasano-provides-the-missing-subtext/

  10. RSnake Says:

    Oh, and given the fact that the sla.ckers have found several vulnerabilities in informationweek, in just a few hours, are we saying that 30% of sites don’t have vulnerabilities in them http://sla.ckers.org/forum/read.php?3,6877 or that you cannot exploit 30% of vulnerabilities… or some other complete nonsense? Joel doesn’t appear to be very clued in.

  11. Mephisto Says:

    It’s become abundantly clear that even network security experts really don’t have a clue when it comes to application security. Personally, I feel bad for the guy because it’s obvious he’s missed the boat when it comes to this area of security…

  12. fadetoblack.ch » Ganz grosses Kino: Acunetix vs. Snyder Says:

    […] RSnake - $1000 to Steal Data From 30% of Sites […]

  13. Chris Shiflett Says:

    Wladimir, I couldn’t agree more with your critique. I replied to Joel’s Slashdot comment the other day:

    http://slashdot.org/comments.pl?sid=222326&cid=18013780

    There’s something uniquely irritating about clueless, arrogant people:

    “The astonishing thing is that most people who will read this press release just don’t get it, and the depths of their not getting it are even more astonishing.”

    His comments about IPs makes me think he doesn’t really know anything about networks, either.

  14. Jungsonn Says:

    I’ll bet he does. I really start to doubt everyone who doesn’t agree or tries to agree with him. Either one doesn’t understand his arguments or what he really means in full context, for real.