Hacker re-writes Yahoo! news stories

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Hacker re-writes Yahoo! news stories 16:35 20 September 01 Will Knight A computer security expert has revealed how he altered news articles posted to Yahoo!'s web site without permission. The incident highlights the danger of hackers posting misleading information to respected news outlets, say experts.

Freelance security consultant Adrian Lamo demonstrated that, armed only with an ordinary internet browser, he could access the content management system used by Yahoo!'s staff use to upload daily news. Lamo added the false quotes to stories to prove the hole was real to computer specialist site Security Focus.

Yahoo! has issued a statement saying the vulnerability has been fixed and security is being reviewed. But experts say that the incident demonstrates a serious risk. "Just think how much damage you could do by changing the quarterly results of a company in a story," says J J Grey, a consultant with computer consultants @Stake.

Digital grafitti It is not uncommon for some computer hackers to daub graffiti on a web site once they have gained access. But Peter Sommer, an expert in computer crime at the London School of Economics, says that carefully changing information posted to a major web site could be far more serious. "If it is done in a subtle way then this could spread misinformation," Sommer told New Scientist. "It's unfortunate that Yahoo! is the largest and most important portal in the world."

Yahoo! is one of the most popular destinations on the internet. In June 2001 the site had more than 200 million visitors. Yahoo! takes news feeds from a wide range of news agencies and web sites. Lamo says he was disturbed to have had access to the system during recent terrorist attacks on America, when internet news sites were in great demand. "At that point I had more potential readership than the Washington Post," Lamo told Security Focus. "It could have caused a lot of people who were interested in the day's events a lot of unwarranted grief if false and misleading information had been put up."

Access by proxy Lamo used intermediary computer systems called proxy servers that connect Yahoo!'s internal computer network to the internet. He configured his browser to trick the proxy into giving him access all the applications available to those inside Yahoo!'s network. From here, he found no password protection or other barriers preventing him from posting or altering Yahoo!'s stories.

Lamo demonstrated this by adding quotes to a story about a Russian computer programmer who faces prosecution in the US for developing software that allows electronic books to be copied without permission. The false quotes were attributed to President George W Bush and read: "Some children may have been subjected to the works of Mark Twain or Foucault, but this flagrant illegality will not continue. They shall not overcome. Whoever told them the truth would make them free was obviously unfamiliar with federal law."

Lamo has drawn attention to other serious security vulnerabilities in the past. In June 2001, he discovered a problem with proxy servers connected to the US web company Excite@Home that also gave access to its internal network. In December 2000, he pinpointed a bug that could give unauthorised access to AOL instant messenger accounts. 16:35 20 September 01

http://www.newscientist.com/news/news.jsp?id=ns99991329

-- Rich Marsh (marshr@airmail.net), September 20, 2001

Answers

If anyone is interested in the case of the Russian programmer, who is being held in the US, have a look here.

It gives an insight into the lengths some companies are going to in order to try to vastly increase their copyright control.

-- a programmer (a@programmer.com), September 20, 2001.


Moderation questions? read the FAQ