CNN Bug Patched; Attackers Move On

Tuesday, June 11, 2013 @ 05:06 PM gHale


Spammers advertising a diet plan were leveraging an open redirect vulnerability in CNN’s website to trick Twitter users into thinking their malicious links lead to a legitimate website.

Since CNN addressed the vulnerability, spammers moved on to other sites and started abusing a similar open redirect vulnerability in Ask.com.

RELATED STORIES
Botnet Used in Huge Spam Plot
P2P Botnets Larger than Thought
New Trojan can Avoid Capture
Botnet Builds off Ruby on Rails Bug

The open redirect vulnerability ended up reported to ask.com back in 2010, but it’s still unfixed, said security expert Janne Ahlberg, who has been monitoring the spam campaign.

The spammers are also exploiting a similar security hole in a Yahoo site to convince potential victims their links point to a trustworthy website.

To increase their chances of success, they keep sending tweets to celebrities in hopes some of them will retweet their messages.

While CNN officials said they addressed one vulnerability, but E Hacking News’ Sabari Selvan said he identified another open redirect vulnerability in one of the media organization’s websites.

This flaw, which ended up reported to the company in 2010, is not the attack abused by the spammers, but it just goes to show companies continue to put band aids over the cut compared to assessing what the real problem is and making sure it ends up totally fixed.



Leave a Reply

You must be logged in to post a comment.