By Darren Pauli, 22 Sep 2014
Websites across the internet are doing the Harlem Shake after online comedians began exploiting cross site scripting (XSS) flaws that make pages dance and speakers blare.
The flaws exist in the DNS text record – not the protocol – due to a lack of sanitation, and allowed internet scamps to turn boring websites like Who.is into a text-wobbling, screen-flashing dance parties.
A registrant of the domain that off the stunt noticed the flaw and dropped < script > and < iframe > tags into TXT records, which were loaded by Who.is and MxToolbox.
The record type could store arbitrary text linked to a domain that would be improperly executed allowing hackers to pull of XSS attacks.
"The DNS protocol is not vulnerable in this instance – the attack is the result of a vulnerability in the web application and how it parses the results from the DNS query," NCC Group Asia Pacific managing director Wade Alcorn said.
The Register/ full article and video here/ http://www.theregister.co.uk/2014/09/22/whois_does_the_harlem_shake/
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.