RIAA Site Features TorrentFreak’s Latest News
Written by enigmax on May 04, 2009Just a couple of days ago we reported that the MPAA’s website was vulnerable to an XSS attack, which left it displaying torrents from The Pirate Bay. This time a flaw has been discovered in the RIAA’s site, which now allows it to display TorrentFreak’s latest articles.
A cross-site scripting (XSS) attack is a kind of security vulnerability typically found in web applications which allows code to be injected into web pages. The ‘cross site’ element explains how a malicious website could load another site into a frame, giving the appearance that the data all originates from the target site.
Last year we reported that the RIAA’s website had suffered an XSS attack and just a couple of days ago we revealed how the MPAA site was vulnerable to an XSS attack too, one which left it embarrassingly displaying torrents from The Pirate Bay.
Now it is the RIAA’s turn (again) to suffer the same fate. Vektor, who also discovered the MPAA site exploit, told TorrentFreak that he had managed to find a security hole in RIAA.com too. He demonstrated this by using an iframe – an HTML element which makes it possible to embed an HTML document inside another HTML document – TorrentFreak for example.
RIAA.com featuring TorrentFreak
As with the MPAA site exploit, Vektor explains that his work on the RIAA site is a proof of concept and should be taken as a joke.
We’re sure the RIAA and MPAA coders will be laughing heartily as they try to plug these holes.
Previously: TorrentFreak TV Episode 10
Next: Bitlet Launches BitTorrent Video Streaming
46 Responses
rofl! pwnt
epic win
haha lol own3d
Heh. Go TF!
pwned
I dunno…
Whether or not the sites of the industries we all know and hate are vulnerable to cross-scripting isn’t a huge deal, know what I mean?
It’s a neat little thing, but I hope that nobody ends up citing this as evidence that the RIAA will lose this general battle. (There’s hardly a shortage of THAT around here.)
Also I personally think that vandalism doesn’t do much to advance the cause. We must be honorable criminals, as twisted and evil as we are. =)
Good job!
Maybe that would show some of their flaws and imperfections as opposed to what they show the public of their BS-full propaganda!
They should all rot in hell…
Funny lol. they kill tpb and then they leave crap like this open
Since TF pages are on thier site can the MPAA not be sued for Copywrite and theft if they don’t take them down quickly enough.
I mean look at the free advertising the MPAA will get in the press thanks to having the TF info up.
I think TF should sue and demand they say sorry in public.
childish maybe but the MPAA would hate it :-)
It is really hilarious to see these guys leaving such vulnerabilities in their own web-sites after spending so much money to bring down TPB.
@Up the pirates
TF should sue MPAA for this act.
I support.
This sounds like TorrentFreak is practically taking credit for the hack… I would think as a legit blog/news site, you guys would want to distance yourselves from what is probably a very illegal exploit here.
GOD BLESS HACKERS
REVOLUTION NOW!!!!!!!!
the domain where knowledge is the ulitmate power, belongs to the pirates hackers and crackers.
fat executive d**ick’s in suits are out of their element
+1
And when Mr Bigglesworth gets angry… people get hacked!!!
Lol riaa got trolled nice Work guise
Epic Win
LOL keep the fun up :D
ROFLMAO
I think one of the webdesigners of the US will get a very intresting phonecall/email and the income of MediaDefender, MediaSentry, BayTSP and others will be much lower than last month xD
What doesn’t kill them makes them stronger.
I’m telling mommy!
10 cents on a dollar says the mpaa/riaa coders are file sharers! :P
RIAA = Real Idiots And A-holes!
RT
anonymity.ru.tc
STop acting like idiots. This isn’t a pown3d moment.
Not a real attack ..just bad programmer who didn’t check the code coming in.
this is script kiddie stuff. get a life.
@scott very true
@26…
Totally Agreed!..
These morons leaving their links all over the comment section need to die. If you must, put it in your username, not in the comment.
XSS is meaningless unless there are accounts to steal and users dumb enough to click links. In this case, displaying HTML on the user’s end = stupid, pointless. Stuff hackers were doing at 12 years old, really.
How about gay porn x-linked there?
And/or cock pics
I’m all for killing copyright, but I’ve got to point out some liberties taken with this story.
The type of flaw found, XSS (for cross-site scripting), is USUALLY (with some major exceptions) a minor vulnerability that is unlikely to cause any real damage, especially on websites like these. They do not cause any damage to the server and do not change what is displayed to normal website viewers. They are usually easy to fix and I’d guess more than half of all websites have an XSS hole somewhere. They’ve been caught and corrected on google.com, microsoft.com, fbi.gov, cnn.com, ebay.com, yahoo.com, apple.com… actually, it’s hard to think of anywhere there hasn’t been an XSS flaw.
So considering the fact that this 1) happens to just about every site 2) has no ill effects and 3) is easy to fix, maybe this doesn’t deserve a story?
awww but the last hack was a lot more inventive and you people didn’t write about it. an actual exploit that wacked the site to non existence for a whole day.
poor babies cant stop a outdated html flaw.
XSS is retarded. it’s not permanent (unless it’s stored somehow). now if you could give me a link and i can view exactly what that images displays without doing anything extra. then it’s worth something.
Oh c’mon…
I mean… props to Vektor for discovering the XSS and all but this is hardly worth any news (let alone two news in a few days).
A lot of sites are vulnerable to XSS and you have to send a specially crafted URL to the site to see something like in the screenshot.
This is not something a regular visitor will see so this probably won’t have any effect… In most cases the site admins/coders don’t even bother to fix something like this (although they probably should).
Losers! They already knew their site was vulnerable but didn’t bother to fix it.
Well done Vektor!!!
I hope many more will follow his example.
Great job!!!
@13: Almost everyone who posts news is verifying them and, as post 32 says, no harm is done to their website. If this is illegal, so is google. Nowhere on their website says that you’re not allowed to use their search function to search for specific things. The things you can enter in their search box you can also enter in google’s search box. Append “site:riaa.com” and you have a search function for their website. The difference here is, google shows search results while riaa.com’s search… well… you know…
@26: You’re right, it’s not an attack. It’s just bad programming. And this post is about bad programming, not about hacking. These bugs are very easy to fix and it’s very easy to find them.
BTW I found another XSS in all MPAA’s movie rating sites. While RIAA was filtering keywords in their search box (using a case-sensitive search), here is no verification at all.
This bug can be used to get fake ratings for a movie or to get ratings for a movie that is not in their database or that doesn’t even exist.
Example for TorrentFreak TV episode 10: http://img209.imageshack.us/img209/6150/ratings1.gif . You wouldn’t download a car.
@35
i agree…
it doesn’t show up on anyone else’s machine but your own when you do this. i wouldn’t fix it.
@logic voter: “the domain where knowledge is the ulitmate power, belongs to the pirates hackers and crackers.
fat executive d**ick’s in suits are out of their element
+1″
Way to go with the retarded comment, considering this will only show up on the clients webpage that’s using a specially crafted URL.
And the “ultimate power” ramblings, you really shouldn’t lie about your level of expertise as you get made to look stoopid like now.
As in you pwned yourself.
It certainly goes a long way to defeating the argument that simply making available is equivalent to piracy. By that argument the entire RIAA is now guilty of piracy. I think this is brilliant, just brilliant.
If the RIAA is leaving their ass open to 12 year old script kiddies…this is even worse if you think about it…LOL!
Ja, das ist meine echte email-adresse! Heute Nacht hatte ich das “Vergnügen” mit einem echten Jünger der mainstream-Presse zu kommunizieren. Das Problem, ich kenne diesen Menschen schon mein halbes Leben… Heute NAcht, wurde mir bewußt, dass Menschen, die für sich selbst denken können, in dieser Gesellschaft unerwünscht sind! Das hier ist kein Gelaber von jemanden der zu viel Zeit hat – nein, das hier ist eine Anfrage an Leute, die die Fähigkeit haben, jemanden zu folgen, der diese Gesellschaft in die Knie zwingen wird. Ich will hier keine grauen Mäuse hören – ich will Menschen, die bereit sind dieses Land, durchwachsen von Korruption, brennen zu sehen. Dieser Text ist kein Scherz, kein Spaß – dies ist die letzte Möglichkeit Freiheit zu erkämpfen! Danke.
Yes, that is my real email-address! Tonight, i had the “fortune” to meet a real believer of the mainstream-press. The problem, i knew this men half my life… Tonight, i realized, that people, who think for themselfes, are no longer accepted in this society. This is no chatter of someone with to much time on his hands – no, this is an outcry to people, who have the ability, to follow a movement, that will bring down this system to it’s knees. I don’t want to hear them grey mice complaining – i wan’t people, who whant this land, rotten with corruption, to burn. This text is no joke, no scam – this is the last opportunity to fight for freedom! Thanks.
I am sorry for my bad english – please, correct that text and copy it. Thank you!
isn’t that the same as stealing news articles from Torrent Freak?
someone should teach those bastards about copyrights
lol this shit is ironic i bet that pisses off MPAA and RIAA, they want to Rule the damn Internet Yet the Show the inability to protect the own asses from a hacking thats shit is funny as hell. An they want to stop ppl from sharing music and movies. Learn more about computers dumbasses.
this is like coding 101, i find is sad honestly.
Pwnage ;)
7 references to this post
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.