15 y.o. teen discovers security holes in Google, Facebook and Microsoft code
Feb. 3, 2012
Cim Stordal, a fifteen years old teenager has discovered some critical security flaws in Google, Facebook, Microsoft and Apple programming code.
When he's not in school, Cim spends part of his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish store in Bergen, Norway.
But his real passion in his young life is hunting for, and then discovering security flaws in software used by millions of people today, both on and off the internet.
And Cim has made the Google Security Hall of Fame. He's also been credited with disclosing a cross-site scripting issue to Apple, he's then been thanked by Microsoft officials for disclosing a security vulnerability to the company, and Cim also received an elite 'White Hat' Visa card from Facebook with $500 credit on it.
"I got a card for a self-persistent XSS (cross-site scripting issue) at Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he said.
As a self-persistent issue, Facebook's security hole that Stordal disclosed wasn't exploitable by a third-party because it required a user to take an action to be at risk.
"I just look around at the site and find out where I can input HTML code and it's not filtered in the source code. Often they filter some characters but forget some or they totally forget that input," he said.
"What an attacker often wants is just the cookie, which can be used to log-in as the user," he said. Stordal added that of all the sites he poked around in, surprisingly, Apple was the easiest to find a security flaw in. "I found the Facebook security issue after four days and the Google one after three, but Apple took me only five minutes" to find two XSS flaws, he said. Apple representatives did not respond to a request seeking comment.
And the companies involved appreciate his efforts, particularly because he tells them before going public with any of the details. "Everyone was happy about it and they fixed the issues kind of fast," he said.
Stordal started looking for security vulnerabilities in software when he was just 14 years old last year. "I have always loved being on the PC and I already was programming some C++," he said. "So I wanted to do something new and constructive, so I searched around and learned Basic programming."
Cim's friends are impressed with his skills and ask him to help keep their Web sites secure. His parents aren't really sure what to make of his research.
"They think it's kind of cool, I guess, as they don't understand what I do," he said. "But they also don't want me to stay on the computer all day."
His next move is looking for security vulnerabilities on mobile devices. He's trying to set up a fuzzer (automated software testing tool) on his iPhone 3 GS.
In other internet security news
The hacking group Anonymous has successfully hacked into some U.S. federal websites. Most of the sites shut down by the hackers were up and running early this morning, including the Department of Justice, the FBI and some entertainment sites.
This is referred to as one of the U.S. federal government's largest anti-piracy crackdowns. The group Hacktivist Collective Anonymous admitted that it was responsible for taking down the sites yesterday.
Hours after the announcement of the arrests, some of Megaupload's site visitors turned the table on the feds, knocking the U.S. Department of Justice and the FBI websites offline.
Both sites appeared to be back up this morning, however. A law enforcement official said that the FBI was investigating. Anonymous said ten websites in all were targeted and early Friday the sites for music publishing and licensing group, BMI and record company Universal Music were still down, however.
When the sites were visited, they said "This site is under maintenance. Please expect it to be back shortly." The hacker group announced its attentions on Thursday.
"We, Anonymous, are launching our largest attack ever on government and music industry sites. Lulz," the group said in a statement posted late Thursday on an associated Twitter account. "The FBI didn't think they would get away with this did they? They should have expected us."
The hacking group also posted personal information on former Connecticut Senetor Chris Dodd, chairman of the Motion Picture Association of America, one of the targeted sites.
A Justice Department spokesperson, who did not want to be identified, said its Web server was "experiencing a significant increase in activity, resulting in a degradation in service."
"The department is working to ensure the site is available while we investigate the origins of this activity, which is being treated as a malicious act until we can fully identify the root cause of this disruption," the spokesperson said.
The website errors came soon after various Twitter accounts associated with the collective took aim at the U.S. government. Anonymous' favorite weapon for these attacks is what's called a "distributed denial of service" (DDoS) attack, which directs a flood of traffic to a website and temporarily crashes it by overwhelming its servers.
It doesn't actually involve any hacking or security breaches. "One thing is certain: EXPECT US! Megaupload" read one tweet from AnonOps that went out midafternoon. One hour later, the same account tweeted a victory message "Tango down! universalmusic.com & justice.gov are... Megaupload"
Speaking of the Web attacks, an Anonymous representative said 5,635 people used a networking tool called a "low orbit ion cannon." A LOIC is a software tool that aims a massive flood of traffic at a targeted site.
The news come as lawmakers have turned their attention to anti-piracy legislation. Protests erupted both online and offline this week against two newly proposed bills under consideration in Congress-- the House's Stop Online Piracy Act (SOPA) and the Senate's Protect IP Act (PIPA).
The new bills are aimed at cracking down on copyright infringement by restricting access to sites that host or facilitate the trading of pirated content. But the legislation has created a divide between tech giants, who say the language is too broad, and large media companies, who say they are losing millions of dollars each year to rampant online piracy.
On Twitter, YourAnonNews said that yesterday's attacks meant an involuntary blackout for sites of SOPA supporters. Universal Music's website went down Thursday afternoon. The music company had been locked in a legal battle with Megaupload over a YouTube video that featured many of Universal Music's signed artists promoting Megaupload's site.
The websites of the Recording Industry Association of America and Motion Picture Association of America were out of action Thursday afternoon, but they appeared to be back up later in the evening.
"The fact that a couple of sites might have been taken down is really subordinate to the significant news today that the Justice Department brought down one of the world's most notorious file-sharing hubs," he said.
The Anonymous attack came soon after the Justice Department announced the indictment of seven individuals connected to Megaupload for allegedly operating an "international organized criminal enterprise responsible for massive global online piracy of copyrighted material."
In other internet security news
One more time for the past several months, a new variation of Trojan virus is targeting Facebook users again by taking over their computers and asking them for cash.
Over the past three to four years, Facebook has increasingly been the ultimate target of all kinds of nasty viruses and malware with the placement of links on its site that take you to websites infected with all kinds of malware program that will infect a visitor's computer.
Those links are placed by scammers and hackersthat have nothing best to do with their time. And now the social site has recruited Websense to scan its vast social network for links to malicious sites.
The 'Carberp Facebook Virus', like its predecessors 'ZeuS' and 'SpyEye', infects user's computers by tricking them into opening PDF files and Excel documents loaded with tons of malicious code and viruses, or it simply attacks computers in drive-by downloads.
The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites. Not only that, but a new configuration of the 'Carberp Trojan' also targets Facebook users to ultimately steal eCash vouchers.
Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer, can be considered a lot worse. Facebook users need to address this security concern quickly to avoid further issues.
The Carberp variant replaces any Facebook page the user navigates with a fake page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page then asks the mark for their first name, last name, email, date of birth, password and a $25 voucher number to verify their identity and unlock the account.
Trusteer warns that the cash voucher attack is in some ways worse than credit card fraud, because with eCash it is the account-holder, not the financial institution, who assumes the liability for fraudulent transactions.
Trusteer said it does not have any concrete data on how many people might have been hit by this particular attack. But it warns social networking users, particularly those with eCash accounts, to be wary of this particular scam and any potential follow-up frauds along the same lines, which might easily trap the unwary Facebook user.
Amit Klein, CTO at Trusteer says "This Facebook fraud technique is quite effective. Keep in mind that the user gets an authentic-looking message in the context of a genuine, deliberate log-in page to Facebook. We do know that this is exactly where users are most susceptible to divulging personal information and following additional instructions, as their trust in the content is maximal."
The use of anti-debugging and rootkit techniques make the Carberp Facebook Trojan difficult to detect, warns security consultancy Context Information Security. Context said "Carberp is also part of a botnet that can take full control over many infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks."
Context also adds that Carberp, which creates a backdoor on infected computers, can be easily controlled from a central administrator control panel, allowing botnet herders to more easily mine stolen data and ask for more cash from Facebook users.
Source: Cim Stordal.
You can link to the Internet Security web site as much as you like.