back to article Kid hackers break XSS defences, find hack hole in 2 million websites

Hackers Karim Rahal and Ibram Marzouk have found multiple cross-site scripting vulnerabilities in the HTML Comment Box that opened avenues to compromise visitors to some used by some 2 million websites. Rahal (@KarimPwnz) and Marzouk (@0xibram), both 14 year-old students based in Lebanon, reported the flaws through Detectify's …

  1. Grommet

    Your article didn't seem to make it that clear what software was affected by this. Did some further looking and it a bit of software actually called "Html Comment Box" which is found at https://www.htmlcommentbox.com/

    Fortunately never used it so not affected.

    1. Ole Juul

      It's a Google thing. From the site: "To be the moderator for this comment box, Log in to your Google account before you copy the code."

  2. Anonymous Coward
    Anonymous Coward

    That's what happens when you can mix text formatting with executable code

    HTML has been hopelessly broken since it allowed executable code within what should have been text formatting. A sensible mode wouldn't have allowed it, keeping it separate and enforcing the source.

  3. John Smith 19 Gold badge
    WTF?

    Good work kids.

    As for skiddies at https://www.htmlcommentbox.com/

    Do you actually get paid to write that s**t?

  4. Anonymous Coward
    Anonymous Coward

    Cross-site scripting bugs

    The root cause of these type of bugs is allowing one webpage to call a script residing on another domain, great for inserting adverts, not so great for security.

    1. Ian Michael Gumby

      Re: Cross-site scripting bugs

      The sad thing...

      It shows just how lazy people are and how trusting they are of others. If you don't know who wrote the code, why do you trust it?

      1. John Brown (no body) Silver badge

        Re: Cross-site scripting bugs

        ... because they did a "Learn to be a web designer in 20 days" course and started spamming the world.

  5. Syntax Error

    Well Done

    To the two the lads in Lebanon. Hope they were well paid.

  6. EnviableOne

    XSS and CSRF along with SQLI are all preventable by good programming. the problem is any kid reckons they can nock something up by pulling one module from here, another from there and expecting them to work, without either the understanding or will to manage the interactions.

    I am off on my high horse again, but if the origonal coders were worth their salt, the holes would not have been there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like