Jake Reynolds alerted us to a link that I think is worth posting about. Apparently Joel Snyder bet Acunetix $1000 that they couldn’t steal personal information from 30% of the sites that they found. Wow… I WISH someone would bet me something like that. It’s one of the easiest challenges I’ve ever heard. Firstly, Joel is hugely missing the point. It’s not just about stealing databases (this is such an old-school way of thinking about security anyway - that information breaches have to involve penetration). It’s about users who visit the site being asked to do things or being forced to do things that will compromise their information. Oh, let me count the ways:
mhtml (IE only) as long as the site suffers from some XSS hole, I can steal any information from any website they have logged into. I would consider that a huge breach of security.
keystroke stealing: (both Firefox and IE versions) thank you, Michal Zalewski for showing us that we can steal information from user’s drive.
Clipboard stealing: (works in IE) there is all kinds of sensitive information on user’s clipboard.
Java Script port scanners: Let’s steal information about the user’s network, open up their network and see what they’ve got. You could argue this isn’t really an information breach, but if the people who work at the company view it, it could be a means to break into their company. Uh, yah, that’s bad.
phishing: Let’s not forget the old favorite. If users trust the site, they will happily input anything you ask them to. That definitely compromises user’s accounts, I’d say.
Let’s not forget about CSRF or other information leaks. Someone, bet me $1,000! Actually no, bet me $100,000, while you’re at it. Ah, hell, make it a cool million. I do get Joel’s point - there is a lot of snake oil out there these days, but saying that you cannot take people’s information from them is completely failing to understand modern security holes. Acunetix, if you want help taking Joel’s money, let me know.