Via Richard Smith and Tom Adams. FT Alphaville is also on the case and informs us that this is really not a hack but a URL script trick. Click to enlarge.
I suspect many readers would be happier if there was a real hack in progress.
20 comments
Comments are closed.
Whoa.
‘Hacking’ seems to be the Word of the Day. (See also: News of the World).
Crikey.
It was a real hack…
When you acced to “Moody’s Research & Ratings” in facebook, you are redirected to that page…
If you look now on facebook, you won’t find their page because they shutted it down…
This was a real hack to Moody’s page.
I’ve the link, but the comment is doesn’t allow paste full URL, I will try:
http://www.moodys.com/pages/viewall_researchratings.aspx?bd=4294966708&ed=4294966848&rd=4294966708&tb=0&po=0&sb&sd&std&end&sk&ol&lang=en&cy=global&searchfrom=SearchWithin&kw=%3Cdiv+style%3D%22position%3A+absolute%3Btop%3A100px%3Bright%3A0px%3Bheight%3A950px%3Bwidth%3A965px%3Bz-index%3A5%3B%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.pixoload.de%2F%3Fdi%3D1613100046698%22%2F%3E%3C%2Fdiv%3E
I could not get the link to work either. As a software architect in the ‘internets’ I feel qualified to offer a couple of comments.
The screen shot clearly has “moodys.com” in the url. This would not be possible if someone had not manipulated a machine they did not own – either at moody’s, or by embedding scripts unwittingly in an end users browser. I think either of these qualifies as a hack. Although the phrase ‘url trick’ seems to imply that Moody’s servers have not been breached, but I see no proof of that either. manipulating urls within a server farm is no less of a security breach than manipulating web pages or data.
It appears to be a cross site scripting bug associated with their search functionality.
Bob Said:
“The screen shot clearly has “moodys.com” in the url. This would not be possible if someone had not manipulated a machine they did not own – either at moody’s, or by embedding scripts unwittingly in an end users browse”
I disagree.
You can set up your own DNS server and point http://www.moodys.com to your own, fake web server. We do such things all the time, for legitimate (internal testing) reasons.
Heck, you can edit your local hosts file and save yourself the trouble. We do this too.
And you can just write anything you want and take a screenshot you dumb ass.
Dear “Software Arquitect”, this “URL trick” looks like a special kind of ‘hackless hack’ that has become very popular of late. It does NOT require modification or access to the ‘target’ servers, since all the information is injected in the URL.
All it requires is a buggy server script that allows a part of the URL to be interpreted as HTML, thus showing whatever the ‘hacker’ wants.
Such bugs are usually corrected as soon as the ‘hacker’ propagates his victory, since they are of a very simple nature. That’s why you usually only find them in the form of screenshots, which btw are really easy to fake, or eventually in Google’s cache if the URL gets popular as a google search before the bug is corrected.
So rather than a hack, this is a bug in the server.
(Not to be confused with SQL injection attacks, which might lead to more serious hacks.)
Bottom line, looks like there was no security breach.
Disclaimer: I despise Moody’s and what it represents.
Serves then right!…LOL
Psychoanalystus
We are own you.
Fannie Mae’s proprietary underwriting software. Pay Licensed Closed Source.
are we sure they were hacked?
looks like typical Moody’s research to me.
hard to differentiate Moody’s “research” from hacker jokes these days.
hahahaha priceless
This was an XSS, and not even a stored XSS at that. I wouldnt really class this as an attack, but meh…
http://www.moodys.com/help.aspx?hlkw=http://www.moodys.com/page/search.aspx?kw=<
this one will work….
http://www.moodys.com/help.aspx?hlkw=http://www.moodys.com/page/search.aspx?kw=
dfsfsd
It was real, it showed up in the News in Portugal – we’re pissed off with Moody’s and many groups are launching stress attacks against them. Mine has over 50.000 people.
“it was real, it showed up in the news” ha…ha.
this is exactly why humanity is totally going the wrong direction. “everything in the news must be true.” don’t forget that it is people like anyone behind the news. with their interpretation and their degree of comprehension. and when it comes to hacking, I personally highly doubt about their good understanding of the why and how. what? there was an expert? don’t worry, they are not all “experts”. thank you for the exhibit…
Whether it is a hack or not, got in the news all over the world and everyone is laughing on them.
Moody’s and all the other companies like that (who caused the previous economic crysis as well) deserves every grief that people can throw at them.
I’m not portugal, but feel the same as the people of Portugalia feel nowdays.
So many signs -if you zoom a bit- show that it’s a fake. Right now i think i would know how to do it but too lazy to try… it really seems not very complicated…