informa
/
News

A Hack With Teeth

Cross-site scripting can hit any Web app - from your dentist's Internet kiosk to your bank ATM

5:45 PM -- Caleb Sima once hacked into his dentist's office's Internet kiosk via a cross-site scripting (XSS) flaw. "I pointed out to my dentist office that I was able to get access to the patient records through their kiosk via XSS," says Sima, CTO and founder of SPI Dynamics and a renowned Web security expert.

Sima's dentist office has since removed the kiosk -- which wasn't very popular, anyway, he says -- but it illustrates a problem that few, with the exception of Sima, seem to be taking very seriously right now: how any Web interface-based devices -- including kiosks and ATM machines -- are prone to the pervasive XSS attack.

In other words, anything that's based on a browser (and not just your standard Web apps), can get hit with an XSS attack.

Remember the rumor that the TJX hack was done by attackers posing as employee applicants, who broke into store kiosks, and installed some sort of hardware taps to help them steal data? (See Hacking the Real TJX Story.) Well, Sima wouldn't comment on the case since he isn't privy to information on it, but he did say that in general, such a kiosk attack could be possible using XSS.

"Most companies will stick those kiosks right on the internal network of the store or bank, company, etc. Then they run the kiosk software assuming that hackers can't go anywhere," he says. "But what if a hacker can get XSS running, and pop up new IE instances? Then the sandbox is destroyed."

Some kiosks only provide access to a specific site, but Sima says these are easy to exploit. "Other kiosks are just plain Web-based front ends such as in bookstores or grocery stores, that at some point in the app will repeat back your input. The key is finding those inputs and exploiting them just like normal XSS."

An attacker could inject JavaScript on the kiosk and break into the system, for instance, he says. The same could happen theoretically with an ATM. "You slide in your card, it says your name, welcome, and 'What would you like to do, Caleb?'"

You could write JavaScript onto a blank ATM card and have it execute it via the ATM machine, he says.

Sima's not sure how realistic kiosk-hacking is. So before you start plotting revenge against the guy who shoves power tools into your mouth every six months, you'd be better served watching your bank account activity closely instead.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SPI Dynamics
  • Recommended Reading: