Recently we were contacted by Rosario Valotta who
shared his latest research paper and a proof of concept of what he defines to be a cross webmail worm (XWW). Rosario implemented the worm in order to demonstrate its significant negative impact that could have on unaware users of famous webmail providers which are vulnerable to XSS. He named the worm "Nduja connection".
Apparently, Nduja
"is a soft, spicy hot, spreadable salami considered one of the most famous, if not the most famous, of typical calabrian foods." In case you are interested, this is how to make
penne rigate with nduja! :-P
The worm is purely based on JavaScript. Spreadable as salami, its main feature is the ability to propagate through multiple webmail sites which are vulnerable to XSS. Based on his
justified explanations, the provided code pieces, and the
PoC video demonstration, can confidently say that I trust his claim that "Njuda connection" is currently working perfectly. The
video is a great demonstration of the XSS/XWW worm. Great as it is displaying JavaScript alert windows showing information for every step that executes for its propagation. A malicious user of the worm can edit its source code for not displaying such alerts. That would make the worm run in "stealth" mode on unsuspecting users of the vulnerable webmails.
According to Rosario, his aim
"is only to show the possible critical consequences deriving from not caring about XSS vulns, mainly in services with a critical customer base like webmails are.".
Certainly his aim sounds very familiar to me! So as far as it concerns XSS, I strongly believe that the community of web application security researchers is mostly striving towards the same aim - especially the last few years. Poor XSS! You are so underestimated - yet a major threat if fallen in the wrong but experienced hands.
We almost
mirror on a daily basis XSSed online services with a critical customer base. Stakeholders are crucial for the successful operation of these services. Protecting their privacy should be our goal, because some people forget, some people are lazy, some other are not vigilant enough about protecting their sensitive personal information. Whatever reason is causing an online service to be insecure, is enough for malicious people to exploit it.
Therefore a recommended solution is to use a secure browser. Bear in mind that no browser is secure by default installation. You must configure them for security. The functionality of a website is largely dependent upon the software used and its configuration (be it a browser, a browser plugin, or a firewall).