An Apple a Day Really Doesn’t Keep Cross Site Scripting Away
“apple” (CC BY 2.0) by www.tOrange.biz
They say that an apple a day keeps the doctor away, but does it keep viruses away? For more than a decade the common assumption among most Apple product owners is that they’re impervious to the attacks of hackers, cybercriminals and everything else in between.
Owing to Apple’s own marketing material and a general ignorance about Internet security, most people have wrongly assumed for many years that Apple products are bulletproof. Unfortunately, that simply isn’t true anymore; not least because the way in which hackers operate has become infinitely more complex.
Hoping to debunk this tech myth in a recent was the Huffington Post’s Jason Glassberg and there’s good reason for his efforts. While many Mac users will blindly browse the web and throw around their personal details as if they aren’t in any danger, that couldn’t be further from the truth.
XSS Attacks Persist
“Credit Card Theft” (CC BY 2.0) by Don Hankins
Everyone, regardless of their operating system or relative size in the virtual world, is vulnerable if they don’t have the necessary security provisions in place. In fact, two high profile cross-site scripting (XSS) attacks in recent weeks have once again highlighted the need for vigilance online.
First to fall foul of hackers back in May was online domain registrar, GoDaddy. Unearthed by eagle-eyed expert Matthew Bryant, the XSS scripting vulnerability in the system used by GoDaddy’s support agents was reportedly like an unexploded mine.
After spotting the issue, Bryant dug into the system and found that the “name” field on a certain GoDaddy page accepted and stored an XSS payload. Fortunately, no customers were affected by the vulnerability and GoDaddy has since patched the leak, but issue of XSS isn’t going away any time soon.
The other major platform that was recently forced to issue a security update was WordPress. The popular blogging platform issued a press release telling those using the Jetpack plug-in to update the software due to an XSS vulnerability.
The flaw was discovered by security firm Sucuri and according to the stats, an estimated one million users are at risk if they don’t update. After analysing the fault, Sucuri found that a bug in the Shortcode Embeds Jetpack module could be exploited to allow malicious JavaScript to be injected into the user’s site.
Anyone that doesn’t update their software could find themselves having spam SEO injected into a page; spam which would then redirect visitors to a malicious site. This, in a nutshell, is one of the main reasons XSS protection is becoming increasingly necessary for website owners of all shapes and sizes.
Reflections Can be Dangerous
“reflection” (CC BY 2.0) by bullemhead
According to Imperva Incapsula, XSS scripting and, in particular, reflected XSS attacks which are otherwise known as non-persistent attacks, are basically a “numbers game”. In simple terms, a reflected XSS attacks doesn’t require the perpetrator to inject malicious scripts into a vulnerable website.
Instead, hackers can inject the script into a link and distribute it thousands of times via emails, comments on blog posts and through social media feeds. This relative ease with which infected links can be sent means a cybercriminal can simply flood a mailing list with links and hope just a small percentage of recipients open it.
While this style of attack is different to the one found on GoDaddy’s site, the principle is still the same and, if you’re an Apple user, the consequences are the same. In fact, according to data from Kaspersky, OS X specific attacks increased by 3,600% between 2010 and 2014, which suggests that Apple users now need to be more vigilant than ever.
Be Smart, Stay Safe and Never Assume
“virus” (CC BY 2.0) by nikcname
Fortunately, there a plenty of ways for users to protect their systems. From Web Application Firewalls to remaining vigilant of reflected XSS attack attempts, users can now arm themselves against the army of cybercriminals out there. In fact, if there’s one message to take away from this as an Apple user it’s this: don’t assume you’re safe just because you’re not using a PC. As the GoDaddy and WordPress cases have shown, anyone can be struck down at any time and the only way to ensure XSS attacks and the like don’t ruin your online experience is to arm yourself with as much knowledge as possible and, moreover, the right tools.
While it might be trendy to say “Macs are safer than PCs”, the reality is that we live in an age of advanced cybercrime and it doesn’t matter what system you’re using, your data can be compromised. However, if you stay vigilant and use the tools that are on offer, you should find your Apple product doesn’t leave you with an upset stomach.