The rise of hosted services is giving new opportunities to malware. Consider the case of blogger David Airey. Late last year he had an unpleasant surprise. His domain name had been transferred to a criminal without his knowledge. An email to the new owner resulted in a demand for money. In the meantime, his site had disappeared from the internet, and although he could start a new site, he had lost his Google search rank.
The cost of the lost business was in excess of the extortionist’s demand, so there was an argument for paying up quietly. Logic like this perpetuates the problem, so it is great that Airey chose instead to blog about the problem, drawing some high-profile attention and eventually securing the return of his domain through the intervention of the chief executive of GoDaddy, the ISP that was hosting the stolen domain.
Technically, the problem was caused by a cross-site request forgery against Google’s email service. Airey must have visited a compromised site while logged into his Google Mail account. A script on the compromised site posted a request to Google which set up a mail filter. The mail filter forwarded any emails concerning domain transfer to the scammer, then deleted them from the inbox. When Airey announced on his blog that he was taking a holiday, the fraudster made his move.
Google has apparently fixed this security hole, though this would not remove existing malevolent filters. It is disappointing that users have not been notified of the risk. Still, the real lessons from Airey’s experience are not confined to this particular case. Users are now mostly aware of desktop risks like running email attachments, but how many realise the security benefits of logging out of web-based services, rather than enjoying the convenience of persistent log-in, or the risks of having secure pages open on one tab of their browser while clicking random search links in another? Attacks like cross-site scripting and cross-site requests are subtle and hard to spot. Another part of the problem is that web vendors such as Google or Facebook are keen to encourage users to be logged in permanently.
Airey’s story is thought-provoking. In part it is about the value of domain names, the vulnerability of web-based businesses, and the risks of sharing information such as holiday plans in blogs. More generally, it shows that moving data from local servers to the cloud changes, but does not remove, security risks.
While firms can easily lock down desktops, controlling what users do on the internet is more difficult. As web applications become more critical, securing the desktop is no longer enough.
reader comments