Vektor, the hacker who played a joke on the Motion Pictures Association of America (MPAA) earlier this week by listing The Pirate Bay torrents on its own website via an XSS flaw, has disclosed that the Recording Industry Association of America (RIAA) suffers from a similar weakness. Additionally, more MPAA-controlled websites used to search for movie ratings are vulnerable.
Vektor is a member of Team Elite, a group of programmers and security enthusiasts who disclosed cross-site scripting and other Web vulnerabilities in many high-profile websites. Its list of pwned sites so far includes the likes of eBay, Intel, McAfee, Symantec, Kaspersky, Avira and ESET. Late last week, the outfit published details about several XSS weaknesses found in the mpaa.org website.
The newly discovered vulnerability in riaa.com is similar in nature to the MPAA one, as it allows rogue IFrames to be injected into the website's pages. IFrames can be used to load content from external servers and, in order to keep in line with his earlier The Pirate Bay joke, Vektor chose to inject a listing from Mininova, another popular torrent tracker, into the RIAA website.
Furthermore, two more security risks were identified by Vektor, a full path disclosure caused by an error in the email.php script used by the website and an unprotected directory. "This is a proof of concept that proves an XSS on riaa.com website and should be taken as a joke," the hacker, who previously advised that, while exploited in a funny manner, these flaws should not be taken lightly, because they could just as well be used by attackers to serve malicious content to visitors, pinpoints.
In a simultaneous post, Vektor outlines more XSS bugs in another website controlled by the MPAA and used to search for movie ratings. No less than 12 different domain names owned by the association point to this website. "Some people say MPAA's movie rating system is useless, an inconvenience for independent distributors. A bug in their movie rating search websites makes it even more useless," the greyhat writes. "An XSS bug in all these websites allow 'smart marketers' to fake the ratings of a movie or trojan spreaders to infect website visitors," he explains.
The RIAA vulnerabilities seem to have been addressed, except for the full path disclosure error, however, the ones in the MPAA movie-rating website were still active at the time of writing this article and allowed us to take some screenshots of our own.