Wednesday, August 29, 2007

Warning: Daily Kos is Under Attack

If you visit Daily Kos, you should be aware it has come under attack.

This news has not appeared on the Daily Kos front page. Instead, Hunter (one of the admins) has written a diary on the side titled "Malicious Link Warning (IMPORTANT)" in which he states:

So yes indeed, there was a malicious diary placed on Daily Kos very early in the morning: people who clicked a link provided by the diarist were directed to a site with a malicious script on it designed to steal your dKos cookies. The "script kiddie" was then able to log in as those users and write comments or diaries under their names, change their signatures, etc.

This isn't the first time a script kiddie has tried to target Daily Kos, and it won't be the last. We delete the attacks, alert the service provider, and take other actions as necessary.

Note that this isn't a "hacking" attempt. Nobody succeeded in actually getting a malicious script on Daily Kos itself (though lord knows, people try on a regular basis.) Nope, this was a "script kiddie" using well-known XSS (cross-site scripting) attacks -- the sort of "trojan horse" attacks that have been common to email spammers and virus writers for years -- and which other sites have unfortunately also had to deal with in their own comments. Since it can't perform a malicious action directly, it relies on tricking you into going to some other site where a malicious script can be run, virus uploaded, etc.

There is an absolute defense against such scripts, though: don't click the link. Don't click ANY link leading away from the site unless you are reasonably certain that it goes to a safe place. This counts for URL shortening services, too: if you see a "shortened" link and you don't know where it goes, DO NOT CLICK.

According to various reports from Daily Kos members today, many have been scrambling to understand exactly what happened since this behaviour was noticed last nite. The delay of an "official" response from a site administrator caused widespread confusion and concern as users were left to their own devices to figure out how to deal with the problem. The "malicious script" apparently set off a loop of porn ads on some affected users' computers as well.

Along with the above advice and some internal housekeeping tips, Hunter also offers this:

...if you're using firefox [sic] and want hardcore protection against scripted attacks, try the noscript plugin. It will prevent scripts from running unless you explicitly allow them on a site-by-site basis. Perhaps folks in comments can suggest similar measures for other browsers.

(Oh, and general internet advice -- no matter where you are, never click anything hosted on php0h.com, which has hosted nearly every one of these "script kiddie" attacks over the last year.)

We'll be forcibly logging out all users every once in a while in an effort to wipe the affected cookies. If you get logged out, just log back in. And for pete's sake, be careful what you click.

No official word yet on how many computers have been affected or how this attack has affected the site's traffic overall.
 

No comments:

Post a Comment