Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


A Hack With Teeth

Cross-site scripting can hit any Web app - from your dentist's Internet kiosk to your bank ATM

5:45 PM -- Caleb Sima once hacked into his dentist's office's Internet kiosk via a cross-site scripting (XSS) flaw. "I pointed out to my dentist office that I was able to get access to the patient records through their kiosk via XSS," says Sima, CTO and founder of SPI Dynamics and a renowned Web security expert.

Sima's dentist office has since removed the kiosk -- which wasn't very popular, anyway, he says -- but it illustrates a problem that few, with the exception of Sima, seem to be taking very seriously right now: how any Web interface-based devices -- including kiosks and ATM machines -- are prone to the pervasive XSS attack.

In other words, anything that's based on a browser (and not just your standard Web apps), can get hit with an XSS attack.

Remember the rumor that the TJX hack was done by attackers posing as employee applicants, who broke into store kiosks, and installed some sort of hardware taps to help them steal data? (See Hacking the Real TJX Story.) Well, Sima wouldn't comment on the case since he isn't privy to information on it, but he did say that in general, such a kiosk attack could be possible using XSS.

"Most companies will stick those kiosks right on the internal network of the store or bank, company, etc. Then they run the kiosk software assuming that hackers can't go anywhere," he says. "But what if a hacker can get XSS running, and pop up new IE instances? Then the sandbox is destroyed."

Some kiosks only provide access to a specific site, but Sima says these are easy to exploit. "Other kiosks are just plain Web-based front ends such as in bookstores or grocery stores, that at some point in the app will repeat back your input. The key is finding those inputs and exploiting them just like normal XSS."

An attacker could inject JavaScript on the kiosk and break into the system, for instance, he says. The same could happen theoretically with an ATM. "You slide in your card, it says your name, welcome, and 'What would you like to do, Caleb?'"

You could write JavaScript onto a blank ATM card and have it execute it via the ATM machine, he says.

Sima's not sure how realistic kiosk-hacking is. So before you start plotting revenge against the guy who shoves power tools into your mouth every six months, you'd be better served watching your bank account activity closely instead.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SPI Dynamics

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    What the FedEx Logo Taught Me About Cybersecurity
    Matt Shea, Head of Federal @ MixMode,  6/4/2021
    A View From Inside a Deception
    Sara Peters, Senior Editor at Dark Reading,  6/2/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-13
    The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
    PUBLISHED: 2021-06-12
    Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.