MASS Cross-Site Defacement
Recently we witnessed the same defacement attack on many major websites. Were those all sites hacked at the same time, or is there some kind of a new zero-day exploit for the whole Internet?
Our security team have examined the issue, and, the attack is much simpler than we might think.
GIGYA
GIGYA is a Customer Identity Management Platform. It tracks users’ activities in your website by placing JavaScript in your website. GIGYA is pretty popular and many big websites have embedded their scripts. One of the main files that GIGYA injects into your website is called “gigyaGAIntegration.js”.
This file is stored on GIGYA servers and pulled by the websites.
GoDaddy
“GoDaddy” is one of the most famous DNS services in the world. The GIGYA domain “http://cdn.gigya.com/” is registered using this service and is managed by the “GoDaddy” DNS panel. In order to get access to this panel, one needs to obtain the correct username and the password for that “GoDaddy” account.
Syrian Electronic Army
The exact attack details were not disclosed, however several sources pointed out that the attackers used a social engineering techniques to trick “GoDaddy” to provide them GIGYA’s account credentials. There are several other technical ways to get those credentials whether by brute forcing the login page or leveraging an XSS vulnerability on the “GoDaddy” website. Note that the current “GoDaddy’s” login mechanism helps attackers by indicating that the username exists, by telling that the account is locked.
In addition, there attacker can cause a denial of service on accounts by performing several unsuccessful login attempts.
The attackers have changed the DNS record to point to their webservers containing a hostile JavaScript which shows a popup and redirects the user to a very popular image hosting service “imgur.com”
The image service was serving a banner of the “Syrian Electronic Army” that the attackers uploaded in advance.
Takeaways on 3rd Parties
It is pretty common nowadays to embed 3rd party content in websites. Many of them use Facebook’s “Like” button, Google’s tracking script, GIGYA, and many others. By embedding a 3rd party in your page you are embedding their security risks as well. Since avoiding 3rd parties is practically impossible, we must be aware of the threats they impose. The first step to manage that risk might be maintaining a copy of the 3rd party script on your servers rather than relying on 3rd party hosting.
